Disable QOP on the 407 Proxy Auth Required

[GirishDharmaraj]

Hello Experts,

I was just wondering if there is a way to disable the qop=auth parameter on the 407 response below in freeswitch. I understand this parameter is optional according to RFC 2617. The reason I want to try is, we are using a WebRTC to SIP Gateway (Mizu) and when the 407 is sent by FS and the Mizu GW sends a ACK, FS keeps sending the 407 almost 10 times at 4 seconds interval. The Mizu engineers suspect that the qop=auth is causing this issue and want to try disabling this.

SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/WSS d9h55fi6gutd.invalid;branch=z9hG4bK2988121;received=abc.yyy.104.144;rport=60518
From: <sip:abcde@test.com>;tag=1i0om9f8q2
To: <sip:12345678@test.com>;tag=gK2p2Z6vm8pKK
Call-ID: 2o19kkuc2320g3gm8e16
CSeq: 8627 INVITE
User-Agent: FreeSWITCH
Accept: application/sdp
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer
Proxy-Authenticate: Digest realm="test.com", nonce="ed15197a-4a90-4c8e-9340-ea20b6473efd", algorithm=MD5, qop="auth"
Content-Length: 0

 

[Adrian Fretwell]

You probably need to double check this, but it is my belief that for SIP qop should always be present in WWW-Authenticate and Proxy-Authenticate headers. If for any reason it is missing qop="auth" should be assumed - Sorry can't remember the RFC right now.

 

[GirishDharmaraj]

Noted Sir, this is what the RFC says.

qop-options
This directive is optional, but is made so only for backward
compatibility with RFC 2069 [6]; it SHOULD be used by all
implementations compliant with this version of the Digest scheme.
If present, it is a quoted string of one or more tokens indicating
the "quality of protection" values supported by the server. The
value "auth" indicates authentication; the value "auth-int"
indicates authentication with integrity protection; see the
descriptions below for calculating the response directive value for
the application of this choice. Unrecognized options MUST be
ignored.

auth-param
This directive allows for future extensions. Any unrecognized
directive MUST be ignored.

 

[Adrian Fretwell]

Noted, I can't remember where my original information came from, but I have found this:

From RFC8760 (The Session Initiation Protocol (SIP) Digest Access Authentication Scheme)
Section 2.6.8:

A UAS MUST be able to properly handle a "qop" parameter received
in an Authorization/Proxy-Authorization header field, and a UAC
MUST be able to properly handle a "qop" parameter received in
WWW-Authenticate and Proxy-Authenticate header fields. However,
for backward compatibility reasons, the "qop" parameter is
optional for clients and servers based on [RFC3261] to receive.
If the "qop" parameter is not specified, then the default value
is "auth".

A UAS MUST always send a "qop" parameter in WWW-Authenticate and
Proxy-Authenticate header field values, and a UAC MUST send the
"qop" parameter in any resulting authorization header field.

 

[GirishDharmaraj]

So is there any setting where we can change the value from qop to auth? Want to know how it differs?

 

[Adrian Fretwell]

I do not think there is, if qop (quality of protection), is omitted in http WWW-Authenticate then a browser will fall back to basic protection i.e. plain text passwords (probably OK on an https connection) But for SIP basic protection is not permitted, that is why qop, if missing, should default to "auth".