[Freeswitch-users] sip profile - accept-blind-auth vs
Gabriel Gunderson
gabe at gundy.org
Sun Oct 14 12:17:19 MSD 2012
On Aug 21, 2012 4:38 PM, "Daniel-Constantin Mierla" <miconda at gmail.com>
wrote:
>
> Hello,
>
> the version is:
>
> FreeSWITCH version: 1.2.1+git~20120816T172128Z~6dc9596bec (1.2.1; git at
commit 6dc9596bec on Thu, 16 Aug 2012 17:21:28 Z)
>
> Did few calls and got one more strange situation. So I commented the line:
>
>
> <param name="accept-blind-auth" value="true"/>
>
> and let:
>
> <param name="auth-calls" value="true"/>
>
> Surprising, the calls are not authenticated.
>
> But if I set:
>
>
> <param name="auth-calls" value="false"/>
>
> I get 407 reply.
>
> To summarize, I got:
> 1) auth-calls=false and accept-blind-auth=true => no 407 reply
> 2) auth-calls=false and accept-blind-auth commented => 407 reply
> 3) auth-calls=true and accept-blind-auth commented => no 407 reply
>
> Looks like 3) is opposite than expected. Maybe it's too late in the night
here, missing something obvious, I will try again tomorrow morning and I
will fire a bug if it is really the case.
What came of this?
>
> Cheers,
> Daniel
>
>
>
> On 8/21/12 11:43 PM, Michael Collins wrote:
>>
>> FWIW, I could not reproduce this behavior on v1.2.stable branch. When I
set auth-calls=false in the SIP profile and make an inbound call it just
relies on the ACL and that's it.
>>
>> Miconda, what version of FS did you say you were running?
>>
>> -MC
>>
>> On Tue, Aug 21, 2012 at 1:50 PM, Daniel-Constantin Mierla <
miconda at gmail.com> wrote:
>>>
>>> Hi Mike,
>>>
>>> On 8/21/12 10:27 PM, Michael Jerris wrote:
>>> > auth-calls false means we won't challenge invite, accept-blind-auth
means if auth headers are there, we ignore them.
>>>
>>> it is what I expected from auth-calls (and worked like this in the
>>> past), but now even if set to false, the calls are challenged with 407
>>> reply for authentication. Only when I set accept-blind-auth to false
>>> there is no 407.
>>>
>>> Overall, it gets me what I need, access being granted on IP acl, but I
>>> wanted to double check if such change in behaviour of auth-calls was
>>> done on purpose. I will review my changes comparing with the default
>>> configs to see if I modified other params that could result in this
>>> situation, although I think there is no other related parameter.
>>>
>>> Cheers,
>>> Daniel
>>>
>>> >
>>> > Mike
>>> >
>>> > On Aug 21, 2012, at 1:57 PM, Daniel-Constantin Mierla <
miconda at gmail.com> wrote:
>>> >
>>> >> Hello,
>>> >>
>>> >> in the past I used to set:
>>> >>
>>> >> <param name="auth-calls" value="false"/>
>>> >>
>>> >> in the sip profile in order to skip user authentication for calls.
>>> >>
>>> >> Lately I started to play a bit with 1.2 stable branch and seems that
>>> >> setting auth-calls to false is no longer doing what I expected, calls
>>> >> being challenged for user authentication.
>>> >>
>>> >> Setting instead the accept-blind-auth to false got me what I wanted,
like:
>>> >>
>>> >> <!-- accept any authentication without actually checking (not a
>>> >> good feature for most people) -->
>>> >> <param name="accept-blind-auth" value="true"/>
>>> >>
>>> >> But from the comment (checked the wiki as well, but has the same
text)
>>> >> is a bit unclear what is the real purpose for it.
>>> >>
>>> >> Isn't auth-calls=false supposed to accept calls without user
>>> >> authentication anymore?
>>> >>
>>> >> For this particular case, I play some announcements, like 'user not
>>> >> available', and should work also for calls coming from outside. The
>>> >> access is restricted by IP address ACL, allowing SIP traffic only
from
>>> >> my Kamailio instance.
>>> >
>>> >
_________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org
>>> > http://www.freeswitchsolutions.com
>>> >
>>> >
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>>
>>> --
>>> Daniel-Constantin Mierla - http://www.asipto.com
>>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>>> Kamailio Advanced Training, Berlin, Nov 5-8, 2012 -
http://asipto.com/u/kat
>>>
>>>
>>>
_________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-
>>
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20121014/fd549576/attachment-0001.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list