Re: [Siproxd-users] Error "security check failed: NULL To Header" when running siproxd
Status: Beta
Brought to you by:
tries
Menu
▾
▴
Re: [Siproxd-users] Error "security check failed: NULL To Header" when running siproxd
|
From: Thomas R. <tr...@gm...> - 2007-01-19 01:18:23
|
Hi, I', currently in vacation, so just a few short comments, see below: Michael Engel wrote: > Hi, >=20 > we're trying to run siproxd as proxy for an Asterisk server running > behind a NAT in a private IP range. Asterisk runs on a Linux > (Eisfair) machine, while the NAT router running siproxd is a > NetBSD Sparc64 machine. siproxd (0.5.13 as well as 0.6.0) and > libosip2-2.2.2 compiled without problems. >=20 > The NAT router connects the internal network (192.168.1.x, > interface hme0) to the Internet (DSL using pppoe with dynamic > addresses and dyndns service, interface pppoe0). Port 5060 > (outgoing) is redirected on the router using the rule >=20 > rdr hme0 0/0 port 5060 -> 127.0.0.1 port 5060 tcp/udp >=20 > in /etc/ipnat.conf, incoming ports 5060 as well as > 10000-20000 are redirected to the Asterisk server: Why do you redirect incoming ports? By redirecting them you "steal" them from siproxd, so they can not be processed. This will not work properly. As shown in <http://siproxd.sourceforge.net/siproxd_guide/siproxd_guide_c6s5.html>, OUTGOING traffic must be passed via siproxd, the incoming traffic is directed to siproxd and MUST be processed by siproxd. It then will be sent (by siproxd) to the internal UAs. The only firewall rules for INCOMING traffic are to ALLOW the incoming traffic to siproxd. >=20 > rdr pppoe0 0/0 port 5060-5065 -> 192.168.1.200 port 5060 tcp/udp > rdr pppoe0 0/0 port 10000-20000 -> 192.168.1.200 port 10000 tcp/udp >=20 > Now, whenever the Asterisk server tries to register with a > provider (in the example below it's T-Online, but sipgate and > gmx cause the same problem), I get an error message: >=20 > security check failed: NULL To Header >=20 > This happens with siproxd versions 0.5.13 and 0.6.0. As far > as I can see from the packet log, there is a valid "To" header > field, so I suspect s.th. else may fail here (64 bit perhaps? > Big endian byte order? gcc is version 3.3.3)... any ideas? This error indicates that the parsed SIP message (osip_message_t structure) has no valid To header (NULL). At least the host part must be present. ...snip... /* check for existing To: header */ if ((sip->to=3D=3DNULL)|| (sip->to->url=3D=3DNULL)||(sip->to->url->host=3D=3DNULL)) { ERROR("security check failed: NULL To Header"); return STS_FAILURE; } ...snip... It would be very interesting if you could edit the file security.c and put additional debug output in to see what actually is contained in this structure. It *might* even be a libosip2 error (I'm not yet going to blame anyone, but these checks are made right after libosip2 did parse the received message - and if there is NULL...) >=20 > I've attached the log excerpt and the config file below, if you > require more information please let me know... >=20 > Btw., we're mainly setting this up because gmx VoIP doesn't > seem to work with the NATed configuration (T-Online and > sipgate actually work for incoming as well as outgoing calls > without using a proxy). Do you have any experience running > siproxd against gmx? >=20 > -- Michael >=20 > 02:19:01 ERROR:security.c:268 security check failed: NULL To Header > 02:19:01 ERROR:siproxd.c:348 security_check_sip() failed... this is =20 > not good > ---BUFFER DUMP follows--- > 52 45 47 49 53 54 45 52 20 73 69 70 3a 74 65 6c REGISTER sip:tel > 2e 74 2d 6f 6e 6c 69 6e 65 2e 64 65 20 53 49 50 .t-online.de SIP > 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 /2.0..Via: SIP/2 > 2e 30 2f 55 44 50 20 38 34 2e 31 36 35 2e xx xx .0/UDP 84.165.xx > 2e xx xx xx 3a 35 30 36 30 3b 62 72 61 6e 63 68 .xxx:5060;branch > 3d 7a 39 68 47 34 62 4b 35 64 64 63 61 38 37 62 =3Dz9hG4bK5ddca87b > 3b 72 70 6f 72 74 0d 0a 46 72 6f 6d 3a 20 3c 73 ;rport..From: <s > 69 70 3a 30 33 32 32 32 39 32 xx xx xx xx xx xx ip:032229xxxxxx@ > 74 65 6c 2e 74 2d 6f 6e 6c 69 6e 65 2e 64 65 3e tel.t-online.de> > 3b 74 61 67 3d 61 73 31 39 62 62 63 38 33 36 0d ;tag=3Das19bbc836. > 0a 54 6f 3a 20 3c 73 69 70 3a 30 33 32 32 32 39 .To: <sip:032229 > xx xx xx xx xx xx 40 74 65 6c 2e 74 2d 6f 6e 6c xxxxxx@tel.t-onl > 69 6e 65 2e 64 65 3e 0d 0a 43 61 6c 6c 2d 49 44 ine.de>..Call-ID > 3a 20 37 66 63 36 63 62 66 32 34 30 34 35 62 62 : 7fc6cbf24045bb > 33 37 30 31 36 66 63 66 30 38 33 65 64 39 33 66 37016fcf083ed93f > 62 32 40 31 39 32 2e 31 36 38 2e 31 2e 32 30 30 b2@192.168.1.200 > 0d 0a 43 53 65 71 3a 20 31 30 36 20 52 45 47 49 ..CSeq: 106 REGI > 53 54 45 52 0d 0a 55 73 65 72 2d 41 67 65 6e 74 STER..User-Agent > 3a 20 41 73 74 65 72 69 73 6b 20 50 42 58 0d 0a : Asterisk PBX.. > 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 Max-Forwards: 70 > 0d 0a 45 78 70 69 72 65 73 3a 20 33 36 30 30 0d ..Expires: 3600. > 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 30 .Contact: <sip:0 > 33 32 32 32 39 32 39 33 39 31 33 40 38 34 2e 31 32229293913@84.1 > 36 35 2e xx xx 2e xx xx xx 3e 0d 0a 45 76 65 6e 65.xx.xxx>..Even > 74 3a 20 72 65 67 69 73 74 72 61 74 69 6f 6e 0d t: registration. > 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content-Length: > 20 30 0d 0a 0d 0a 0.... >=20 > ---end of BUFFER DUMP--- >=20 > config: >=20 > if_inbound =3D hme0 > if_outbound =3D pppoe0 > hosts_allow_reg =3D 192.168.1.0/24 > hosts_allow_sip =3D 192.168.1.0/24 This host_allow_sip line wil prohibit ANYONE not in the 192.168.1.x net to send anything to siproxd. Does not really make sense (you want to receive SIP packets from the Internet, I assume?). Comment this out. > sip_listen_port =3D 5060 > daemonize =3D 0 > silence_log =3D 0 > log_calls =3D 1 > user =3D nobody > registration_file =3D /var/run/siproxd/siproxd_registrations > pid_file =3D /var/run/siproxd/siproxd.pid > rtp_proxy_enable =3D 1 > rtp_port_low =3D 10000 > rtp_port_high =3D 20000 > rtp_timeout =3D 300 > default_expires =3D 600 > debug_level =3D 0xffffffff > debug_port =3D 0 >=20 Regards, /Thomas |
