Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Hello Laurent, interesting.. Have you checked already if you see this different password results also on the network level if you look to the mysql client-server traffic? Then you should know at least it its related to kamailio or the database(s). Cheers, Henning Am 30.08.19 um 10:18 schrieb Laurent Schweizer: Hi Henning, Hi all, Maybe my first assumption was wrong, the wrong result is changing ☹. I have added some extra debug info in modules/auth_db/authorize.c to display not only the calculated hash but also the username, domain and password if (calc_ha1) { /* Only plaintext passwords are stored in database, * we have to calculate HA1 */ auth_api.calc_HA1(HA_MD5, &_username->whole, _domain, , 0, 0, _ha1); LM_DBG("FOR NU HA1 string calculated: %s username:\'%.*s\' realm:\'%.*s\' pass:\'%.*s\' \n", _ha1 , _username->user.len, ZSW(_username->user.s) , (_domain->len) , ZSW(_domain->s), result.len , result.s); } else { memcpy(_ha1, result.s, result.len); _ha1[result.len] = '\0'; } return 0; and I see for the same username different password … of course password was not changed in DB password are not random, it’s password from other user, just one case that is different is the “0” (we don’t have any user with a password like this ) Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 5057166924cd85af0250c36d24eb username:'90707009764' realm:'pbxs.peoplefone.de' pass:'H3--D' Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 7547ba1f80a651437908d050493086f9 username:'90707009764' realm:'pbxs.peoplefone.de' pass:'R3--2' Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 8947348b1af4cba356532c3b49dba559 username:'90707009764' realm:'pbxs.peoplefone.de' pass:'72--s' Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 348ce71603d44a0dd3303d8e07e155d8 username:'90707009764' realm:'pbxs.peoplefone.de' pass:'X-g' Aug 30 09:37:04 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 7fc7adfa1f3a18d27988ffbe42ecfdfd username:'90707009764' realm:'pbxs.peoplefone.de' pass:'0' Aug 30 09:37:35 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: b313ccfd2848fdc245cc1490607e6eb7 username:'90707009764' realm:'pbxs.peoplefone.de' pass:'s---w' I’m using a mysql/percona DB with 3 server so I’m using the db_cluster module… Any idea ? BR Laurent From: Henning Westerholt <mailto:h...@skalatan.de> Sent: jeudi, 29 août 2019 18:28 To: Kamailio (SER) - Users Mailing List <mailto:sr-users@lists.kamailio.org>; Laurent Schweizer <mailto:laurent.schwei...@peoplefone.com> Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS Hello Laurent, (you might want to anonymize your msg dumps bit on this public list) You probably did already this steps, but nevertheless some debugging ideas: - capture a longer network trace and compare the network data of a working against non-working case - try to see to find a pattern (e.g. does it happens during a certain time, only to certain users or devices) - have a look to network interface statistics on server and router/firewall if maybe some corruption is caused from an interface - have a look to other network services that are using the same network infrastructure to see if they are also affected Cheers, Henning Am 29.08.19 um 10:58 schrieb Laurent Schweizer: Hello, I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹ Any idea how to debug this ? Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING:
Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Hi Henning, Hi all, Maybe my first assumption was wrong, the wrong result is changing ☹. I have added some extra debug info in modules/auth_db/authorize.c to display not only the calculated hash but also the username, domain and password if (calc_ha1) { /* Only plaintext passwords are stored in database, * we have to calculate HA1 */ auth_api.calc_HA1(HA_MD5, &_username->whole, _domain, , 0, 0, _ha1); LM_DBG("FOR NU HA1 string calculated: %s username:\'%.*s\' realm:\'%.*s\' pass:\'%.*s\' \n", _ha1 , _username->user.len, ZSW(_username->user.s) , (_domain->len) , ZSW(_domain->s), result.len , result.s); } else { memcpy(_ha1, result.s, result.len); _ha1[result.len] = '\0'; } return 0; and I see for the same username different password … of course password was not changed in DB password are not random, it’s password from other user, just one case that is different is the “0” (we don’t have any user with a password like this ) Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 5057166924cd85af0250c36d24eb username:'90707009764' realm:'pbxs.peoplefone.de' pass:'H3--D' Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 7547ba1f80a651437908d050493086f9 username:'90707009764' realm:'pbxs.peoplefone.de' pass:'R3--2' Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 8947348b1af4cba356532c3b49dba559 username:'90707009764' realm:'pbxs.peoplefone.de' pass:'72--s' Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 348ce71603d44a0dd3303d8e07e155d8 username:'90707009764' realm:'pbxs.peoplefone.de' pass:'X-g' Aug 30 09:37:04 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 7fc7adfa1f3a18d27988ffbe42ecfdfd username:'90707009764' realm:'pbxs.peoplefone.de' pass:'0' Aug 30 09:37:35 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: b313ccfd2848fdc245cc1490607e6eb7 username:'90707009764' realm:'pbxs.peoplefone.de' pass:'s---w' I’m using a mysql/percona DB with 3 server so I’m using the db_cluster module… Any idea ? BR Laurent From: Henning Westerholt Sent: jeudi, 29 août 2019 18:28 To: Kamailio (SER) - Users Mailing List ; Laurent Schweizer Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS Hello Laurent, (you might want to anonymize your msg dumps bit on this public list) You probably did already this steps, but nevertheless some debugging ideas: - capture a longer network trace and compare the network data of a working against non-working case - try to see to find a pattern (e.g. does it happens during a certain time, only to certain users or devices) - have a look to network interface statistics on server and router/firewall if maybe some corruption is caused from an interface - have a look to other network services that are using the same network infrastructure to see if they are also affected Cheers, Henning Am 29.08.19 um 10:58 schrieb Laurent Schweizer: Hello, I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹ Any idea how to debug this ? Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING:
Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Hello Laurent, (you might want to anonymize your msg dumps bit on this public list) You probably did already this steps, but nevertheless some debugging ideas: - capture a longer network trace and compare the network data of a working against non-working case - try to see to find a pattern (e.g. does it happens during a certain time, only to certain users or devices) - have a look to network interface statistics on server and router/firewall if maybe some corruption is caused from an interface - have a look to other network services that are using the same network infrastructure to see if they are also affected Cheers, Henning Am 29.08.19 um 10:58 schrieb Laurent Schweizer: Hello, I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹ Any idea how to debug this ? Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING:
Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Hello, I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹ Any idea how to debug this ? Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING:
Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Wireshark was missing . From: Laurent Schweizer Sent: lundi, 26 août 2019 10:25 To: 'Kamailio (SER) - Users Mailing List' Subject: Kamailio 5.0.8 | authentification issue only with TCP/TLS Dear all, I have a kamailio running in version 5.0.8 and since fee weeks we have an issue with different users connected in TCP or TLS, sometimes authorization like for REGISTER are rejected and after a moment (can be few minute or hours) it work again and of course no change was done in the password We see this issue with different device, snom swyx, ... and on UDP we have no issue. I can see that when the Register is rejected it's with the error -2, so wrong password... # Authentication route route[AUTH] { if (is_method("REGISTER")) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { switch($retcode) { case -1: sl_send_reply("503","Service not available"); exit; case -2: xlog("L_WARN", "auth error -2 username $au - src ip: $si \n"); auth_challenge("$fd", "0"); exit; I have attached an example of a trace where we can see a first REGISTER accepted and less than 2 minutes after a new one is rejected. ( in between they is a REGISTER without any Authorization header) Any idea ? BR Laurent <> ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Dear all, I have a kamailio running in version 5.0.8 and since fee weeks we have an issue with different users connected in TCP or TLS, sometimes authorization like for REGISTER are rejected and after a moment (can be few minute or hours) it work again and of course no change was done in the password We see this issue with different device, snom swyx, ... and on UDP we have no issue. I can see that when the Register is rejected it's with the error -2, so wrong password... # Authentication route route[AUTH] { if (is_method("REGISTER")) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { switch($retcode) { case -1: sl_send_reply("503","Service not available"); exit; case -2: xlog("L_WARN", "auth error -2 username $au - src ip: $si \n"); auth_challenge("$fd", "0"); exit; I have attached an example of a trace where we can see a first REGISTER accepted and less than 2 minutes after a new one is rejected. ( in between they is a REGISTER without any Authorization header) Any idea ? BR Laurent ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users