What authentication header to use?


i am currently developing a SIP client in pure java using the JAIN SIP API to reigster, authenticate and send messages to a Asterisk server running on a seperate machine.

I have approached the Registering and authentication process in two steps:

  1. make a register SIP request
  2. if response is 401(which it is) retrieve the WWW-AuthenticatonHeader from Asterisk and use the nonse to generate a md5 hash for the response field to be set on a AuthenticationHeader that i am populating.

The md5 will hash the username, password, request type etc and add it to a AuthenticationHeader.

After this, i then send the same request i made previously but with the AuthenticationHeader attached.

This is the example my code is based on:


The issue i am having is that the Asterisk server keeps responding with a 401 status code dispite adding the AuthHeaders with its md5 hashes of the username and password contained so i am wondering if Asterisk server uses a different kind of authentication challenge/method?

How can i access the Logs from Asterisks to see exactly why it rejects my Auth requests? Could it be bad username and password? invalid nonse?

At the moment the server just returns 401 without more information on exactly what is the issue.


For logging see wiki.asterisk.org/wiki/display/ … nformation

Given that large number of phones that successfully authenticate with Asterisk, you can assume that Asterisk uses the authentication method that it specifies in the WWW-AuthenticatonHeader, and that that is a commonly implemented one.

How can i see which is the issue with my authentication?

the server only returns a very generic 401 error. i do not know if my password is wrong? my md5 hash is wrong? etc.

Is there a way to find this out because all the logs show me is this:

NOTICE[1742] chan_sip.c: Registration from ‘sip:’ failed for ‘’ - No matching peer found

It looks like your address of record is wrong. Asterisk matches the address of record on the user part, and you appear to have no user part. If the IP part is anything other than the address of Asterisk itself, you probably don’t need to register at all, as you can probably use a static address.

The message is saying that it failed to find a sip.conf entry against which to authenticate.

In the SIP protocol itself, you are not going to get anything more than a generic error, as to do anything else would help an attacker.

I think there is an option to match on authuser, but that would be unusual.