Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Hello Laurent,
interesting.. Have you checked already if you see this different password
results also on the network level if you look to the mysql client-server
traffic? Then you should know at least it its related to kamailio or the
database(s).
Cheers,
Henning
Am 30.08.19 um 10:18 schrieb Laurent Schweizer:
Hi Henning,
Hi all,
Maybe my first assumption was wrong, the wrong result is changing ☹.
I have added some extra debug info in modules/auth_db/authorize.c to display
not only the calculated hash but also the username, domain and password
if (calc_ha1) {
/* Only plaintext passwords are stored in database,
* we have to calculate HA1 */
auth_api.calc_HA1(HA_MD5, &_username->whole, _domain, ,
0, 0, _ha1);
LM_DBG("FOR NU HA1 string calculated: %s username:\'%.*s\'
realm:\'%.*s\' pass:\'%.*s\' \n", _ha1 , _username->user.len,
ZSW(_username->user.s) , (_domain->len) , ZSW(_domain->s), result.len ,
result.s);
} else {
memcpy(_ha1, result.s, result.len);
_ha1[result.len] = '\0';
}
return 0;
and I see for the same username different password … of course password was
not changed in DB
password are not random, it’s password from other user, just one case that is
different is the “0” (we don’t have any user with a password like this )
Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 5057166924cd85af0250c36d24eb
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'H3--D'
Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 7547ba1f80a651437908d050493086f9
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'R3--2'
Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 8947348b1af4cba356532c3b49dba559
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'72--s'
Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 348ce71603d44a0dd3303d8e07e155d8
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'X-g'
Aug 30 09:37:04 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 7fc7adfa1f3a18d27988ffbe42ecfdfd
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'0'
Aug 30 09:37:35 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: b313ccfd2848fdc245cc1490607e6eb7
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'s---w'
I’m using a mysql/percona DB with 3 server so I’m using the db_cluster module…
Any idea ?
BR
Laurent
From: Henning Westerholt <mailto:h...@skalatan.de>
Sent: jeudi, 29 août 2019 18:28
To: Kamailio (SER) - Users Mailing List
<mailto:sr-users@lists.kamailio.org>; Laurent
Schweizer
<mailto:laurent.schwei...@peoplefone.com>
Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with
TCP/TLS
Hello Laurent,
(you might want to anonymize your msg dumps bit on this public list)
You probably did already this steps, but nevertheless some debugging ideas:
- capture a longer network trace and compare the network data of a working
against non-working case
- try to see to find a pattern (e.g. does it happens during a certain time,
only to certain users or devices)
- have a look to network interface statistics on server and router/firewall if
maybe some corruption is caused from an interface
- have a look to other network services that are using the same network
infrastructure to see if they are also affected
Cheers,
Henning
Am 29.08.19 um 10:58 schrieb Laurent Schweizer:
Hello,
I try to get some log,
I only see that password seems wrong but he was not changed and registration of
this user was ok just before ☹
Any idea how to debug this ?
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]:
auth_check_response(): check_response: Our result =
'bc946bb4ea732eb35d11d0970631c6f8'
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]:
auth_check_response(): check_response: Authorization failed
Aug 29 10:21:38 de5029 kamailio[22615]: WARNING:
Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Hi Henning,
Hi all,
Maybe my first assumption was wrong, the wrong result is changing ☹.
I have added some extra debug info in modules/auth_db/authorize.c to display
not only the calculated hash but also the username, domain and password
if (calc_ha1) {
/* Only plaintext passwords are stored in database,
* we have to calculate HA1 */
auth_api.calc_HA1(HA_MD5, &_username->whole, _domain, ,
0, 0, _ha1);
LM_DBG("FOR NU HA1 string calculated: %s username:\'%.*s\'
realm:\'%.*s\' pass:\'%.*s\' \n", _ha1 , _username->user.len,
ZSW(_username->user.s) , (_domain->len) , ZSW(_domain->s), result.len ,
result.s);
} else {
memcpy(_ha1, result.s, result.len);
_ha1[result.len] = '\0';
}
return 0;
and I see for the same username different password … of course password was
not changed in DB
password are not random, it’s password from other user, just one case that is
different is the “0” (we don’t have any user with a password like this )
Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 5057166924cd85af0250c36d24eb
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'H3--D'
Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 7547ba1f80a651437908d050493086f9
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'R3--2'
Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 8947348b1af4cba356532c3b49dba559
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'72--s'
Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 348ce71603d44a0dd3303d8e07e155d8
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'X-g'
Aug 30 09:37:04 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: 7fc7adfa1f3a18d27988ffbe42ecfdfd
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'0'
Aug 30 09:37:35 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]:
get_ha1(): FOR NU HA1 string calculated: b313ccfd2848fdc245cc1490607e6eb7
username:'90707009764' realm:'pbxs.peoplefone.de' pass:'s---w'
I’m using a mysql/percona DB with 3 server so I’m using the db_cluster module…
Any idea ?
BR
Laurent
From: Henning Westerholt
Sent: jeudi, 29 août 2019 18:28
To: Kamailio (SER) - Users Mailing List ; Laurent
Schweizer
Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with
TCP/TLS
Hello Laurent,
(you might want to anonymize your msg dumps bit on this public list)
You probably did already this steps, but nevertheless some debugging ideas:
- capture a longer network trace and compare the network data of a working
against non-working case
- try to see to find a pattern (e.g. does it happens during a certain time,
only to certain users or devices)
- have a look to network interface statistics on server and router/firewall if
maybe some corruption is caused from an interface
- have a look to other network services that are using the same network
infrastructure to see if they are also affected
Cheers,
Henning
Am 29.08.19 um 10:58 schrieb Laurent Schweizer:
Hello,
I try to get some log,
I only see that password seems wrong but he was not changed and registration of
this user was ok just before ☹
Any idea how to debug this ?
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]:
auth_check_response(): check_response: Our result =
'bc946bb4ea732eb35d11d0970631c6f8'
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]:
auth_check_response(): check_response: Authorization failed
Aug 29 10:21:38 de5029 kamailio[22615]: WARNING:
Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Hello Laurent, (you might want to anonymize your msg dumps bit on this public list) You probably did already this steps, but nevertheless some debugging ideas: - capture a longer network trace and compare the network data of a working against non-working case - try to see to find a pattern (e.g. does it happens during a certain time, only to certain users or devices) - have a look to network interface statistics on server and router/firewall if maybe some corruption is caused from an interface - have a look to other network services that are using the same network infrastructure to see if they are also affected Cheers, Henning Am 29.08.19 um 10:58 schrieb Laurent Schweizer: Hello, I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹ Any idea how to debug this ? Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING:
Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Hello, I try to get some log, I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹ Any idea how to debug this ? Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8' Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed Aug 29 10:21:38 de5029 kamailio[22615]: WARNING:
Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Wireshark was missing .
From: Laurent Schweizer
Sent: lundi, 26 août 2019 10:25
To: 'Kamailio (SER) - Users Mailing List'
Subject: Kamailio 5.0.8 | authentification issue only with TCP/TLS
Dear all,
I have a kamailio running in version 5.0.8 and since fee weeks we have an issue
with different users connected in TCP or TLS, sometimes authorization like for
REGISTER are rejected and after a moment (can be few minute or hours) it work
again and of course no change was done in the password
We see this issue with different device, snom swyx, ... and on UDP we have no
issue.
I can see that when the Register is rejected it's with the error -2, so wrong
password...
# Authentication route
route[AUTH] {
if (is_method("REGISTER"))
{
# authenticate requests
if (!auth_check("$fd", "subscriber", "1")) {
switch($retcode) {
case -1:
sl_send_reply("503","Service not
available");
exit;
case -2:
xlog("L_WARN", "auth error -2 username
$au - src ip: $si \n");
auth_challenge("$fd", "0");
exit;
I have attached an example of a trace where we can see a first REGISTER
accepted and less than 2 minutes after a new one is rejected. ( in between
they is a REGISTER without any Authorization header)
Any idea ?
BR
Laurent
<>
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS
Dear all,
I have a kamailio running in version 5.0.8 and since fee weeks we have an issue
with different users connected in TCP or TLS, sometimes authorization like for
REGISTER are rejected and after a moment (can be few minute or hours) it work
again and of course no change was done in the password
We see this issue with different device, snom swyx, ... and on UDP we have no
issue.
I can see that when the Register is rejected it's with the error -2, so wrong
password...
# Authentication route
route[AUTH] {
if (is_method("REGISTER"))
{
# authenticate requests
if (!auth_check("$fd", "subscriber", "1")) {
switch($retcode) {
case -1:
sl_send_reply("503","Service not
available");
exit;
case -2:
xlog("L_WARN", "auth error -2 username
$au - src ip: $si \n");
auth_challenge("$fd", "0");
exit;
I have attached an example of a trace where we can see a first REGISTER
accepted and less than 2 minutes after a new one is rejected. ( in between
they is a REGISTER without any Authorization header)
Any idea ?
BR
Laurent
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
