diago icon indicating copy to clipboard operation
diago copied to clipboard
Published 1 month ago verified publisher icon emiago

Authentication fails with some PBX implementations due to From header

Open enkore opened this issue 1 month ago • 1 comments

Some PBX implementations (e.g. 3cx) seem to use the From header when evaluating authentication (specifically: requiring the From header to point to a valid extension within the system, and the username from the Proxy-Authorization header to match the authentication ID of the extension), which causes authentication to fail because the default From header is set to the user agent and not the username/extension. Most/all other implementations populate it with the extension. The behavior of sipgo/diago doesn't seem to conform to RFC3261 § 20.20, which specifies that the From header is meant to identify the initiator of the request.

Example SIP trace:

INVITE sip:destination@pbx SIP/2.0
From: "sipgo" <sip:sipgo@pbx>;tag=...
To: <sip:destination@pbx>
...
<-- 407 Proxy Authentication Required

INVITE ...
From: "sipgo" <sip:sipgo@pbx>;tag=...
Proxy-Authorization: Digest username="authuser", ...
<-- 404 User unknown

Modifying the UA opts to set the user agent string to the user (extension number) makes it work:

uaOpts := []sipgo.UserAgentOption{
    sipgo.WithUserAgent(cfg.SipUser),
}

INVITE sip:destination@pbx SIP/2.0
From: "123" <sip:123@pbx>;tag=...
To: <sip:destination@pbx>
...
<-- 407 Proxy Authentication Required

INVITE ...
From: "123" <sip:123@pbx>;tag=...
Proxy-Authorization: Digest username="authuser", ...
<-- 100 Trying
...

This can also be reproduced with gophone like gophone dial -username authuser -password authpw 'sip:destination@pbx'. There seems to be somewhat conspicuous lack of of "from" option in the gophone dial CLI as well. I assume other PBX systems simply look at the auth user and force the call on the associated extension.

Besides cross-referencing this with SIP traces from hardphones I also checked the behavior of pjsip using pjsua, which populates the From header as shown as well and correctly interoperates with 3cx for both REGISTER and INVITE.

enkore avatar Nov 23 '25 13:11 enkore

In most cases yes username=useragent where extension is referenced, but it is not MUST. If tech behind is Asterisk or Freeswitch they will allow having different extension and username,just for practicallity this is not used.

Here is maybe a bit confusing for you,but what ever you set for useragent it is used as username for Auth if not set. To be clear useragent is ID but username is just part of auth, and for me it is more correct to read like this. Where can be issue if you need to deel with multiple IDs, then right now you have to mess arround with From header.

I can not see now how to reverse logic. Gophone also has -ua flag for setting useragent while username is used for auth, and yes generally only you need to set -ua and -password

emiago avatar Nov 27 '25 20:11 emiago