Consider the following sequence:
SIP UA SIP Gateway
-> INVITE ->
< - 407 Proxy Authentication Required (Proxy-Authenticate) <-
-> INVITE (Proxy-Authorization)->
< - 488 Not Acceptable Here <-
Too much time I spent today trying to find a bug in the code which caused some commercial SIP Gateway to send “488 Not Acceptable Here” messages in response for INVITE sent by my application.
In short, 488 message is usually sent when UA has some problems with media descriptors being offered. This description made my search focused on SDP code. However, this time it so far away from the point.
By standard UA must send Proxy-Authorization header in response for Proxy-Authenticate header.
Also, there is Authorization header which is sent in response to WWW-Authenticate.
The bug in my code was sending Authorization header in response for Proxy-Authorization and this behavior is a violation of a RFC. However, SIP Gateway which we are using internally was replying with “488 Not Acceptable Here” which is actually does not make sense here. I tried first to analyze and change media stream descriptors but I kept getting this response.
So mixing Proxy-Authorize with Authorize is not a good idea.
This should form a good memo here.
[challenge] Proxy-Authenticate [response] Proxy-Authorization and [challenge] WWW-Authenticate [response] Authorization
Normally, SIP Gateway sends “407 Proxy Authentication Required” response and includes “Proxy-Authenticate” header in the message. It can also send “401 Unauthorized” response and include “WWW-Authenticate” header.
This two mechanisms are independent and a valid UA should support both.