Re: [OpenSIPS-Users] The update from yesterday makes all calls fail after 20 seconds, how do I go back?

[Daniel Zanutti]

Hi Federico

You said "but my calls do not use the rtpproxy, so why is this affecting my
traffic and killing my calls?"

Surelly Opensips is trying to use rtpproxy in the calls, the log is showing
this. So the problem probably is related to the rtpproxy service. It's hard
to say anything without logs of the rtpproxy service, config seems to be
fine.

How many simultaneous calls are you handling? Why so many rtpproxy
services? Take a look at rtpproxy log to see what is happening.

If you have some urgency to solve this, I could help in a faster way
through consultancy. Let me know

Daniel

On Thu, Sep 15, 2022 at 11:36 AM Saint Michael  wrote:

> I added this code to the end of my script
> local_route
> {
>   if (is_method("BYE"))
>   {
>   xlog("L_ERR", "LOCAL_ROUTE - BYE - $DLG_end_reason - $ru - $ci");
>   }
> }
> and now my system is filed with these errors:
> Sep 15 14:25:36 node5 opensips[238750]: Sep 15 14:25:35 [238750]
> LOCAL_ROUTE - BYE - RTPProxy Timeout - sip:7867830513@208.73.234.96:5060
> - 0e87838610bfe6e1670023aa6bbe9590@208.73.234.96Sep 15 14:25:35 [238750]
> LOCAL_ROUTE - BYE - RTPProxy Timeout - sip:192.69.217.154;did=8fc1.e2444961
> - 0e87838610bfe6e1670023aa6bbe9590@208.73.234.96
> but my calls do not use the rtpproxy, so why is this affecting my traffic
> and killing my calls?
> I have 10 rttpproxy services:
> grep rtpproxy
>   rtpproxy1.serviceloaded active running
> RTPProxy1
>   rtpproxy10.service   loaded active running
> RTPProxy10
>   rtpproxy2.serviceloaded active running
> RTPProxy2
>   rtpproxy3.serviceloaded active running
> RTPProxy3
>   rtpproxy4.serviceloaded active running
> RTPProxy4
>   rtpproxy5.serviceloaded active running
> RTPProxy5
>   rtpproxy6.serviceloaded active running
> RTPProxy6
>   rtpproxy7.serviceloaded active running
> RTPProxy7
>   rtpproxy8.serviceloaded active running
> RTPProxy8
>   rtpproxy9.serviceloaded active running
> RTPProxy9
>
> here is number 1
> [Unit]
> Description=RTPProxy1
> After=network.target
> Requires=network.target
>
> [Service]
> Type=forking
> PIDFile=/var/run/rtpproxy1.pid
> #Environment='OPTIONS= -F -L 10240 -m 2 -M 3 -T 20 -d
> INFO:LOG_LOCAL5'
>
> Restart=on-failure
> RestartSec=5
>
>
> ExecStart=/usr/local/bin/rtpproxy -p /var/run/rtpproxy1.pid -l
> Public.Ip.Address \
>-s udp:127.0.0.1:7890 -F -L 10240 -m 1 -M 15000 -T 20 -d
> WARN:LOG_LOCAL5 -n tcp:127.0.0.1:7889
> ExecStop=/usr/bin/pkill -F /var/run/rtpproxy1.pid
>
>
> StandardOutput=syslog
> StandardError=syslog
> SyslogIdentifier=rtpproxy1
> SyslogFacility=local5
>
> TimeoutStartSec=10
> TimeoutStopSec=10
>
> [Install]
> WantedBy=multi-user.target
>
>
> Here is number 2
>
> [Unit]
> Description=RTPProxy2
> After=network.target
> Requires=network.target
>
> [Service]
> Type=forking
> PIDFile=/var/run/rtpproxy2.pid
> #Environment='OPTIONS= -F -L 10240 -m 2 -M 3 -T 20 -d
> INFO:LOG_LOCAL5'
>
> Restart=on-failure
> RestartSec=5
>
>
> ExecStart=/usr/local/bin/rtpproxy -p /var/run/rtpproxy2.pid -l
> Public.IP.address \
>-s udp:127.0.0.1:7891 -F -L 10240 -m 15000 -M 2 -T 20 -d
> WARN:LOG_LOCAL5 -n tcp:127.0.0.1:7889
> ExecStop=/usr/bin/pkill -F /var/run/rtpproxy2.pid
>
>
> StandardOutput=syslog
> StandardError=syslog
> SyslogIdentifier=rtpproxy2
> SyslogFacility=local5
>
> TimeoutStartSec=10
> TimeoutStopSec=10
>
> [Install]
> WantedBy=multi-user.target
>
>
> what am I doing wrong?
>
> Federico
>
>
>
>
>
> On Wed, Sep 14, 2022 at 4:55 PM Daniel Zanutti 
> wrote:
>
>> Hi
>>
>> Everytime opensips sends the BYE, it's generated inside local_route:
>> https://www.opensips.org/Documentation/Script-Routes-3-1#toc6
>>
>> So put a xlog there to see why. Something like this:
>> local_route
>> {
>>   if (is_method("BYE"))
>>   {
>>   xlog("L_ERR", "LOCAL_ROUTE - BYE - $DLG_end_reason - $ru - $ci");
>>   }
>> }
>>
>>
>> On Wed, Sep 14, 2022 at 5:04 PM Johan De Clercq  wrote:
>>
>>> Xlog(….);
>>>
>>> Outlook voor iOS  downloaden
>>> --
>>> *Van:* Users  namens Saint Michael <
>>> vene...@gmail.com>
>>> *Verzonden:* Wednesday, September 14, 2022 9:56:41 PM
>>> *Aan:* OpenSIPS users mailling list 
>>> *Onderwerp:* Re: [OpenSIPS-Users] The update from yesterday makes all
>>> calls fail after 20 seconds, how do I go back?
>>>
>>> how do I do this:
>>> " put some log on local_route"
>>> Sorry I am learning
>>>
>>>
>>> On Wed, Sep 14, 2022 at 3:55 PM Daniel Zanutti 
>>> wrote:
>>>
>>> So your Opensips is hanging up the call.
>>>
>>> Do you see any log on it? Try put some log on local_route if you don't
>>> see anything.
>>>
>>>
>>>
>>> On Wed, Sep 14, 2022 at 4:40 PM Saint Michael  wrote:
>>>
>>> This is a trace showing a BYE from Opensips, but none of the sides did
>>> 

Re: [OpenSIPS-Users] The update from yesterday makes all calls fail after 20 seconds, how do I go back?

[Saint Michael]

I added this code to the end of my script
local_route
{
  if (is_method("BYE"))
  {
  xlog("L_ERR", "LOCAL_ROUTE - BYE - $DLG_end_reason - $ru - $ci");
  }
}
and now my system is filed with these errors:
Sep 15 14:25:36 node5 opensips[238750]: Sep 15 14:25:35 [238750]
LOCAL_ROUTE - BYE - RTPProxy Timeout - sip:7867830513@208.73.234.96:5060 -
0e87838610bfe6e1670023aa6bbe9590@208.73.234.96Sep 15 14:25:35 [238750]
LOCAL_ROUTE - BYE - RTPProxy Timeout - sip:192.69.217.154;did=8fc1.e2444961
- 0e87838610bfe6e1670023aa6bbe9590@208.73.234.96
but my calls do not use the rtpproxy, so why is this affecting my traffic
and killing my calls?
I have 10 rttpproxy services:
grep rtpproxy
  rtpproxy1.serviceloaded active running
RTPProxy1
  rtpproxy10.service   loaded active running
RTPProxy10
  rtpproxy2.serviceloaded active running
RTPProxy2
  rtpproxy3.serviceloaded active running
RTPProxy3
  rtpproxy4.serviceloaded active running
RTPProxy4
  rtpproxy5.serviceloaded active running
RTPProxy5
  rtpproxy6.serviceloaded active running
RTPProxy6
  rtpproxy7.serviceloaded active running
RTPProxy7
  rtpproxy8.serviceloaded active running
RTPProxy8
  rtpproxy9.serviceloaded active running
RTPProxy9

here is number 1
[Unit]
Description=RTPProxy1
After=network.target
Requires=network.target

[Service]
Type=forking
PIDFile=/var/run/rtpproxy1.pid
#Environment='OPTIONS= -F -L 10240 -m 2 -M 3 -T 20 -d
INFO:LOG_LOCAL5'

Restart=on-failure
RestartSec=5


ExecStart=/usr/local/bin/rtpproxy -p /var/run/rtpproxy1.pid -l
Public.Ip.Address \
   -s udp:127.0.0.1:7890 -F -L 10240 -m 1 -M 15000 -T 20 -d
WARN:LOG_LOCAL5 -n tcp:127.0.0.1:7889
ExecStop=/usr/bin/pkill -F /var/run/rtpproxy1.pid


StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=rtpproxy1
SyslogFacility=local5

TimeoutStartSec=10
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target


Here is number 2

[Unit]
Description=RTPProxy2
After=network.target
Requires=network.target

[Service]
Type=forking
PIDFile=/var/run/rtpproxy2.pid
#Environment='OPTIONS= -F -L 10240 -m 2 -M 3 -T 20 -d
INFO:LOG_LOCAL5'

Restart=on-failure
RestartSec=5


ExecStart=/usr/local/bin/rtpproxy -p /var/run/rtpproxy2.pid -l
Public.IP.address \
   -s udp:127.0.0.1:7891 -F -L 10240 -m 15000 -M 2 -T 20 -d
WARN:LOG_LOCAL5 -n tcp:127.0.0.1:7889
ExecStop=/usr/bin/pkill -F /var/run/rtpproxy2.pid


StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=rtpproxy2
SyslogFacility=local5

TimeoutStartSec=10
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target


what am I doing wrong?

Federico





On Wed, Sep 14, 2022 at 4:55 PM Daniel Zanutti 
wrote:

> Hi
>
> Everytime opensips sends the BYE, it's generated inside local_route:
> https://www.opensips.org/Documentation/Script-Routes-3-1#toc6
>
> So put a xlog there to see why. Something like this:
> local_route
> {
>   if (is_method("BYE"))
>   {
>   xlog("L_ERR", "LOCAL_ROUTE - BYE - $DLG_end_reason - $ru - $ci");
>   }
> }
>
>
> On Wed, Sep 14, 2022 at 5:04 PM Johan De Clercq  wrote:
>
>> Xlog(….);
>>
>> Outlook voor iOS  downloaden
>> --
>> *Van:* Users  namens Saint Michael <
>> vene...@gmail.com>
>> *Verzonden:* Wednesday, September 14, 2022 9:56:41 PM
>> *Aan:* OpenSIPS users mailling list 
>> *Onderwerp:* Re: [OpenSIPS-Users] The update from yesterday makes all
>> calls fail after 20 seconds, how do I go back?
>>
>> how do I do this:
>> " put some log on local_route"
>> Sorry I am learning
>>
>>
>> On Wed, Sep 14, 2022 at 3:55 PM Daniel Zanutti 
>> wrote:
>>
>> So your Opensips is hanging up the call.
>>
>> Do you see any log on it? Try put some log on local_route if you don't
>> see anything.
>>
>>
>>
>> On Wed, Sep 14, 2022 at 4:40 PM Saint Michael  wrote:
>>
>> This is a trace showing a BYE from Opensips, but none of the sides did
>> actually hangup.
>>
>>
>> On Wed, Sep 14, 2022 at 3:33 PM Saint Michael  wrote:
>>
>> I use opensips 3.1, and I did an update yesterday. in all the boxes that
>> I upgraded all calls fail after 20 seconds.
>>
>> cd /usr/src/opensips-3.1/
>> git pull
>> make clean;make proper;make all
>> make modules
>> make install
>> clearlog.sh
>> systemctl restart opensips
>> opensips -V
>>
>>
>>
>> How do I go back?
>>
>>
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> 

Re: [OpenSIPS-Users] OpenSIPS CP 9.3.2 password mode ha1_sha256 for adding new user

[Bogdan-Andrei Iancu]

Hi Bela,

I just did a backport from master to 9.3.2 for the SHA support, see
https://github.com/OpenSIPS/opensips-cp/commit/de1e45838eacc8272357f0fb9f8758deaee3

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
  https://www.opensips.org/events/Summit-2022Athens/

On 8/9/22 12:37 PM, Bogdan-Andrei Iancu wrote:

Hi Bela,

The OCP does not support ha1_sha256 AFAIK. Consider opening a feature 
request here https://github.com/OpenSIPS/opensips-cp/issues


Regards,
Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/
On 6/29/22 9:10 AM, Bela H wrote:


Hi all,

Is there any way to add new subscriber from OpenSIPS CP 9.3.2 using 
password mode ha1_sha256?


The ha1 (MD5(username:realm:password)) works fine but I had no luck 
with the value generation for the ha1_sha256 field in “subscriber” 
table.


I have this setting:

modparam("auth_db", "calculate_ha1", 0)

modparam("auth_db", "password_column", "ha1_sha256")

Thanks!

Bela


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] OpenSIPS CP 9.3.2 password mode ha1_sha256 for adding new user

[Bogdan-Andrei Iancu]

Hi,

Some more info on this: the challenge function allows you to specify a 
list of algorithms, not only one, so you can try "MD5,SHA-256" -> this 
will allow the client to pick the one it supports.


But in order to have this multi-algs working, be sure you do NOT set the 
"password_column" modparam (as the module will auto-detect witch column 
to use, depending on the alg). Just keep the calculate_ha1 to 0.


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
  https://www.opensips.org/events/Summit-2022Athens/

On 9/15/22 10:56 AM, jacky z wrote:

Correction on my comments. It is a client side issue. Thank you!

On Thu, Sep 15, 2022 at 3:40 PM jacky z > wrote:


After checking the log in the client side, here are some
interesting findings:

Here is the what the client side received:

WWW-Authenticate: Digest realm="sip.domain.com
",
nonce="3mKlesEwotxnM5nLMMLgQA63E6VTKsTFpEkK7OkoE4QA",
qop="auth,auth-int", algorithm=SHA-256

Then the client side logs show:

15:25:51.858       ...Unsupported digest algorithm "SHA-256"
15:25:51.859      SIP registration error: Invalid/unsupported
digest algorithm

Firstly, if the server side did not include SHA-256 in the SIP
message, there would be no such issue. I don't understand why it
needs to inform the client side "SHA-256". Secondly, if the client
side just simply ignored "SHA-256", there would be no such issue.
However, the client side treated it as not supported.

On Thu, Sep 15, 2022 at 3:16 PM jacky z mailto:zjack0...@gmail.com>> wrote:

Hi Bogdan-Andrei,

I tried either specifying it or not. Neither worked. Here is
the script when I tried:

www_challenge("","auth,auth-int","SHA-256");

I also tried specifying the realm in the above code. When the
above is used, there is no such error, but always returns 401.
I checked the column ha1_sha256 and the hash of the password
is correct.

Thanks!

On Thu, Sep 15, 2022 at 2:07 PM Bogdan-Andrei Iancu
mailto:bog...@opensips.org>> wrote:

Hi,

In your opensips.cfg, when doing auth challenge to the end
points, do you specify the SHA256 alg?


https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge



Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com  

OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/  


On 9/15/22 7:18 AM, jacky z wrote:

Hi Team,

Does ha1_sha256 work in general opensips config settings?
I have the following in the scripts:

modparam("auth_db", "calculate_ha1", 0)

modparam("auth_db", "password_column", "ha1_sha256")


but got the following error in the log:


/usr/sbin/opensips[28261]: ERROR:auth:auth_calc_HA1:
Incorrect length of pre-hashed credentials for the
algorithm "MD5": 32 expected, 64 provided


It seems though the sha256 was specified, but the server
still calculated MD5 and compared with the database
column ha1_sha256.


On Tue, Aug 9, 2022 at 5:39 PM Bogdan-Andrei Iancu
mailto:bog...@opensips.org>> wrote:

Hi Bela,

The OCP does not support ha1_sha256 AFAIK. Consider
opening a feature request here
https://github.com/OpenSIPS/opensips-cp/issues


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com  

OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/  


On 6/29/22 9:10 AM, Bela H wrote:


Hi all,

Is there any way to add new subscriber from OpenSIPS
CP 9.3.2 using password mode ha1_sha256?

The ha1 (MD5(username:realm:password)) works fine
but I had no luck with the value generation for the
ha1_sha256 field in “subscriber” table.

I have this setting:

modparam("auth_db", "calculate_ha1", 0)

modparam("auth_db", "password_column", "ha1_sha256")

Re: [OpenSIPS-Users] Opensips CP Permissions "RELOAD on SERVER" produces error

[mtck01]

Thank you, I managed to load the 'permissions module', and no more error,
but nothing happens, just stuck on "Sending to json:127.0.0.1:/mi :"
without error or successful confirmation.

 

Regards,

Martin

 

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] OpenSIPS CP 9.3.2 password mode ha1_sha256 for adding new user

[jacky z]

Correction on my comments. It is a client side issue. Thank you!

On Thu, Sep 15, 2022 at 3:40 PM jacky z  wrote:

> After checking the log in the client side, here are some interesting
> findings:
>
> Here is the what the client side received:
>
> WWW-Authenticate: Digest realm="sip.domain.com",
> nonce="3mKlesEwotxnM5nLMMLgQA63E6VTKsTFpEkK7OkoE4QA", qop="auth,auth-int",
> algorithm=SHA-256
>
> Then the client side logs show:
>
> 15:25:51.858   ...Unsupported digest algorithm "SHA-256"
> 15:25:51.859  SIP registration error: Invalid/unsupported digest
> algorithm
>
> Firstly, if the server side did not include SHA-256 in the SIP message,
> there would be no such issue. I don't understand why it needs to inform the
> client side "SHA-256". Secondly, if the client side just simply ignored
> "SHA-256", there would be no such issue. However, the client side treated
> it as not supported.
>
> On Thu, Sep 15, 2022 at 3:16 PM jacky z  wrote:
>
>> Hi Bogdan-Andrei,
>>
>> I tried either specifying it or not. Neither worked. Here is the script
>> when I tried:
>>
>> www_challenge("","auth,auth-int","SHA-256");
>>
>> I also tried specifying the realm in the above code. When the above is
>> used, there is no such error, but always returns 401. I checked the column
>> ha1_sha256 and the hash of the password is correct.
>>
>> Thanks!
>>
>> On Thu, Sep 15, 2022 at 2:07 PM Bogdan-Andrei Iancu 
>> wrote:
>>
>>> Hi,
>>>
>>> In your opensips.cfg, when doing auth challenge to the end points, do
>>> you specify the SHA256 alg?
>>>
>>> https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 9/15/22 7:18 AM, jacky z wrote:
>>>
>>> Hi Team,
>>>
>>> Does ha1_sha256 work in general opensips config settings? I have the
>>> following in the scripts:
>>>
>>> modparam("auth_db", "calculate_ha1", 0)
>>>
>>> modparam("auth_db", "password_column", "ha1_sha256")
>>>
>>>
>>> but got the following error in the log:
>>>
>>>
>>> /usr/sbin/opensips[28261]: ERROR:auth:auth_calc_HA1: Incorrect length of
>>> pre-hashed credentials for the algorithm "MD5": 32 expected, 64 provided
>>>
>>>
>>> It seems though the sha256 was specified, but the server still
>>> calculated MD5 and compared with the database column ha1_sha256.
>>>
>>> On Tue, Aug 9, 2022 at 5:39 PM Bogdan-Andrei Iancu 
>>> wrote:
>>>
 Hi Bela,

 The OCP does not support ha1_sha256 AFAIK. Consider opening a feature
 request here https://github.com/OpenSIPS/opensips-cp/issues

 Regards,

 Bogdan-Andrei Iancu

 OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
 OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

 On 6/29/22 9:10 AM, Bela H wrote:

 Hi all,



 Is there any way to add new subscriber from OpenSIPS CP 9.3.2 using
 password mode ha1_sha256?

 The ha1 (MD5(username:realm:password)) works fine but I had no luck
 with the value generation for the ha1_sha256 field in “subscriber” table.



 I have this setting:

 modparam("auth_db", "calculate_ha1", 0)

 modparam("auth_db", "password_column", "ha1_sha256")



 Thanks!

 Bela




>>>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] OpenSIPS CP 9.3.2 password mode ha1_sha256 for adding new user

[jacky z]

After checking the log in the client side, here are some interesting
findings:

Here is the what the client side received:

WWW-Authenticate: Digest realm="sip.domain.com",
nonce="3mKlesEwotxnM5nLMMLgQA63E6VTKsTFpEkK7OkoE4QA", qop="auth,auth-int",
algorithm=SHA-256

Then the client side logs show:

15:25:51.858   ...Unsupported digest algorithm "SHA-256"
15:25:51.859  SIP registration error: Invalid/unsupported digest
algorithm

Firstly, if the server side did not include SHA-256 in the SIP message,
there would be no such issue. I don't understand why it needs to inform the
client side "SHA-256". Secondly, if the client side just simply ignored
"SHA-256", there would be no such issue. However, the client side treated
it as not supported.

On Thu, Sep 15, 2022 at 3:16 PM jacky z  wrote:

> Hi Bogdan-Andrei,
>
> I tried either specifying it or not. Neither worked. Here is the script
> when I tried:
>
> www_challenge("","auth,auth-int","SHA-256");
>
> I also tried specifying the realm in the above code. When the above is
> used, there is no such error, but always returns 401. I checked the column
> ha1_sha256 and the hash of the password is correct.
>
> Thanks!
>
> On Thu, Sep 15, 2022 at 2:07 PM Bogdan-Andrei Iancu 
> wrote:
>
>> Hi,
>>
>> In your opensips.cfg, when doing auth challenge to the end points, do you
>> specify the SHA256 alg?
>>
>> https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   https://www.opensips-solutions.com
>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>   https://www.opensips.org/events/Summit-2022Athens/
>>
>> On 9/15/22 7:18 AM, jacky z wrote:
>>
>> Hi Team,
>>
>> Does ha1_sha256 work in general opensips config settings? I have the
>> following in the scripts:
>>
>> modparam("auth_db", "calculate_ha1", 0)
>>
>> modparam("auth_db", "password_column", "ha1_sha256")
>>
>>
>> but got the following error in the log:
>>
>>
>> /usr/sbin/opensips[28261]: ERROR:auth:auth_calc_HA1: Incorrect length of
>> pre-hashed credentials for the algorithm "MD5": 32 expected, 64 provided
>>
>>
>> It seems though the sha256 was specified, but the server still calculated
>> MD5 and compared with the database column ha1_sha256.
>>
>> On Tue, Aug 9, 2022 at 5:39 PM Bogdan-Andrei Iancu 
>> wrote:
>>
>>> Hi Bela,
>>>
>>> The OCP does not support ha1_sha256 AFAIK. Consider opening a feature
>>> request here https://github.com/OpenSIPS/opensips-cp/issues
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 6/29/22 9:10 AM, Bela H wrote:
>>>
>>> Hi all,
>>>
>>>
>>>
>>> Is there any way to add new subscriber from OpenSIPS CP 9.3.2 using
>>> password mode ha1_sha256?
>>>
>>> The ha1 (MD5(username:realm:password)) works fine but I had no luck
>>> with the value generation for the ha1_sha256 field in “subscriber” table.
>>>
>>>
>>>
>>> I have this setting:
>>>
>>> modparam("auth_db", "calculate_ha1", 0)
>>>
>>> modparam("auth_db", "password_column", "ha1_sha256")
>>>
>>>
>>>
>>> Thanks!
>>>
>>> Bela
>>>
>>>
>>>
>>>
>>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] OpenSIPS CP 9.3.2 password mode ha1_sha256 for adding new user

[jacky z]

Hi Bogdan-Andrei,

I tried either specifying it or not. Neither worked. Here is the script
when I tried:

www_challenge("","auth,auth-int","SHA-256");

I also tried specifying the realm in the above code. When the above is
used, there is no such error, but always returns 401. I checked the column
ha1_sha256 and the hash of the password is correct.

Thanks!

On Thu, Sep 15, 2022 at 2:07 PM Bogdan-Andrei Iancu 
wrote:

> Hi,
>
> In your opensips.cfg, when doing auth challenge to the end points, do you
> specify the SHA256 alg?
>
> https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com
> OpenSIPS Summit 27-30 Sept 2022, Athens
>   https://www.opensips.org/events/Summit-2022Athens/
>
> On 9/15/22 7:18 AM, jacky z wrote:
>
> Hi Team,
>
> Does ha1_sha256 work in general opensips config settings? I have the
> following in the scripts:
>
> modparam("auth_db", "calculate_ha1", 0)
>
> modparam("auth_db", "password_column", "ha1_sha256")
>
>
> but got the following error in the log:
>
>
> /usr/sbin/opensips[28261]: ERROR:auth:auth_calc_HA1: Incorrect length of
> pre-hashed credentials for the algorithm "MD5": 32 expected, 64 provided
>
>
> It seems though the sha256 was specified, but the server still calculated
> MD5 and compared with the database column ha1_sha256.
>
> On Tue, Aug 9, 2022 at 5:39 PM Bogdan-Andrei Iancu 
> wrote:
>
>> Hi Bela,
>>
>> The OCP does not support ha1_sha256 AFAIK. Consider opening a feature
>> request here https://github.com/OpenSIPS/opensips-cp/issues
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   https://www.opensips-solutions.com
>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>   https://www.opensips.org/events/Summit-2022Athens/
>>
>> On 6/29/22 9:10 AM, Bela H wrote:
>>
>> Hi all,
>>
>>
>>
>> Is there any way to add new subscriber from OpenSIPS CP 9.3.2 using
>> password mode ha1_sha256?
>>
>> The ha1 (MD5(username:realm:password)) works fine but I had no luck with
>> the value generation for the ha1_sha256 field in “subscriber” table.
>>
>>
>>
>> I have this setting:
>>
>> modparam("auth_db", "calculate_ha1", 0)
>>
>> modparam("auth_db", "password_column", "ha1_sha256")
>>
>>
>>
>> Thanks!
>>
>> Bela
>>
>>
>>
>>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Push notification

[Sergey Pisanko]

Hello.
I have read this article about push notification support according to rfc
8599 in Opensips 3.1
https://blog.opensips.org/2020/05/07/sip-push-notification-with-opensips-3-1-lts-rfc-8599-supportpart-i/

But I stay confused about one thing.It may be considered to be a  "newbie
question", but... What can be an "entity" (3rd party app/API)
with help of which I can create a subscription for Message Service (for
example Firebase) to get the needed "pn" parameters to be inserted into the
register sip request?


Best wishes,
Serhii Pysanko.

[image: Mailtrack]

Sender
notified by
Mailtrack

09/15/22,
10:08:33 AM
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

[jacky z]

Hi Vlad,

In theory, the RDS server is expected to work like what you mentioned.
However, based on test, when the client cert and key is specified, the
connection can't be set.
For example, if we specify the following when we connect to the RDS server
in the command line in our testing
--ssl-cert=/etc/ssl/certs/rootCACert.pem
--ssl-key=/etc/ssl/private/rootCAKey.pem

RDS returns this error:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading
authorization packet', system error: 11

On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu  wrote:

> Hi Jacky,
>
> OpenSIPS will always require you to configure a client certificate for TLS
> client domains and will also present that certificate when connecting. But
> normally, a TLS server can simply choose not to verify the client
> certificate. I don't have any experience with AWS RDS though but it seems
> odd to not accept a connection only because the client did present a
> certificate.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>
> On 14.09.2022 05:42, jacky z wrote:
>
> Hi Bogdan-Andrei,
>
> I checked the mariadb documentation and found mariadb has two options to
> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
> supports one-way TSL, that is, TSL is used without a client cert. Does
> OPENSIPS support such one-way TSL to connect a database? Thanks!
>
> On Wed, Sep 14, 2022 at 12:06 AM jacky z  wrote:
>
>> Hi Bogdan-Andrei,
>>
>> I have set the "certificate" and "private_key" in my script, as I
>> explained in method 1. However, AWS RDS doesn't support a client cert.
>> Please refer to
>>
>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>
>> Is there any workaround to use the public cert list provided by AWS?
>> Anyone has successfully used RDS with SSL connections? Thanks!
>>
>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu 
>> wrote:
>>
>>> Set the certificate and key you have in the tls_mgm module, for the
>>> "certificate" and "private_key" parameters.
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 9/13/22 2:57 PM, jacky z wrote:
>>>
>>> Hi Bogdan-Andrei,
>>>
>>> I tried two methods.
>>>
>>> Method 1:
>>>
>>> #enabled TLS connection:
>>> modparam("db_mysql", "use_tls", 1)
>>>
>>> #setup a client domain:
>>> modparam("tls_mgm", "client_domain", "dom1")
>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>>> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>>> modparam("tls_mgm","verify_cert", "[dom1]0")
>>> modparam("tls_mgm","require_cert", "[dom1]0")
>>> # set db_url
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> /opensips?tls_domain=dom1")
>>> ...
>>>
>>> I couldn't figure out how to use global-bundle.pem AWS provided with
>>> this method. No luck to get a connection with RDS. If I don't use ssl,
>>> opensips can connect to RDS without encryption.
>>>
>>> Method 2:
>>>
>>> I tried
>>>
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> /opensips?ssl=true&
>>> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>>
>>> to include the AWS cert. Still no luck.
>>>
>>> Thanks!
>>>
>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu 
>>> wrote:
>>>
 Hi,

 sorry for my silly question, but how do you connect from the OpenSIPS
 side ??

 Regards,

 Bogdan-Andrei Iancu

 OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
 OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

 On 9/13/22 10:41 AM, jacky z wrote:

 Hi Team,

 We hope to connect to aws RDS database with ssl encryption. We have
 setup a client domain according to OPENSIPS documents. However, AWS RDS
 does not support client cert as someone has confirmed with AWS
 https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws

 Is there any way to use the cert provided by AWS to connect? AWS
 provides a global-bundle.pem (
 https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
 for such a connection, but we don't know how to include it in the config
 file.

 Thanks

 Jacky z

 ___
 Users mailing 
 listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users



>>>
> 

Re: [OpenSIPS-Users] OpenSIPS CP 9.3.2 password mode ha1_sha256 for adding new user

[Bogdan-Andrei Iancu]

Hi,

In your opensips.cfg, when doing auth challenge to the end points, do 
you specify the SHA256 alg?


https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
  https://www.opensips.org/events/Summit-2022Athens/

On 9/15/22 7:18 AM, jacky z wrote:

Hi Team,

Does ha1_sha256 work in general opensips config settings? I have the 
following in the scripts:


modparam("auth_db", "calculate_ha1", 0)

modparam("auth_db", "password_column", "ha1_sha256")


but got the following error in the log:


/usr/sbin/opensips[28261]: ERROR:auth:auth_calc_HA1: Incorrect length 
of pre-hashed credentials for the algorithm "MD5": 32 expected, 64 
provided



It seems though the sha256 was specified, but the server still 
calculated MD5 and compared with the database column ha1_sha256.



On Tue, Aug 9, 2022 at 5:39 PM Bogdan-Andrei Iancu 
mailto:bog...@opensips.org>> wrote:


Hi Bela,

The OCP does not support ha1_sha256 AFAIK. Consider opening a
feature request here
https://github.com/OpenSIPS/opensips-cp/issues


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com  
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/  


On 6/29/22 9:10 AM, Bela H wrote:


Hi all,

Is there any way to add new subscriber from OpenSIPS CP 9.3.2
using password mode ha1_sha256?

The ha1 (MD5(username:realm:password)) works fine but I had no
luck with the value generation for the ha1_sha256 field in
“subscriber” table.

I have this setting:

modparam("auth_db", "calculate_ha1", 0)

modparam("auth_db", "password_column", "ha1_sha256")

Thanks!

Bela




___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Autoscaler in 3.2.x

[Bogdan-Andrei Iancu]

Hi Yury,

For the crash -> is there any core file to check ?

For mem usage -> you should try to get a memory dump for further 
investigation [1].


[1] https://opensips.org/Documentation/TroubleShooting-OutOfMem

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
  https://www.opensips.org/events/Summit-2022Athens/

On 9/14/22 10:13 PM, Yury Kirsanov wrote:

Hi Bogdan,
Thanks a lot for your help and support! The only question I know have 
is why OpenSIPS was going into a crash if all TCP processes were 
blocked waiting for connection? It was starting to consume more and 
more memory and then it was crashing with a segfault upon reaching 
then -m memory parameter. I do understand that TCP listeners were in a 
blocking mode and were not able to do any work until the session could 
be fully established, not being able to forward any SIP packets, but 
isn't that a bug that OpenSIPS was starting to eat memory and then 
crash? Do I need to open a bug report on this? Thanks!


Best regards,
Yury.

On Wed, Sep 14, 2022 at 10:58 PM Bogdan-Andrei Iancu 
mailto:bog...@opensips.org>> wrote:


Hi Yury,

You need to check the TCP setting and to be sure your OpenSIPS
will (1) not try to perform TCP connect against destination known
not to be able to accept (like TCP/WS end points behind NAT) - see
the tcp_no_new_conn_bflag [1] - or (2) not block for long time
while attempting a connect - see the tcp_connect_timeout [2] or
consider enabling async [3].

[1]

https://www.opensips.org/Documentation/Script-CoreParameters-3-2#tcp_no_new_conn_bflag


[2]

https://www.opensips.org/Documentation/Script-CoreParameters-3-2#tcp_connect_timeout


[3]
https://opensips.org/html/docs/modules/3.2.x/proto_tcp.html#idp168992


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com  
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/  


On 9/13/22 12:01 PM, Yury Kirsanov wrote:

Hi Bogdan,
Thanks for this update, but it looks like I can't check
autoscaler because of this first issue with blocking TCP connect.
Is there a way to resolve it? Am I doing something wrong? Or is
that something to do with OpenSIPS code? As yes, you're right, as
soon as I restart OpenSIPS having a lot of SIP devices trying to
connect to it - it goes crazy, starts to consume memory and stops
to forward packets sitting there at 100% load until it runs out
of memory and segfaults. Sometimes I can't even restart it to
come to normal state to make it work, it just loops into same
crash whatever I try to do.

I've compiled OpenSIPS 3.3.1 with your patch and was able to
start it but not sure, maybe I was just lucky this time.

What should I do? Thanks!

Best regards,
Yury.

On Tue, 13 Sept 2022, 18:56 Bogdan-Andrei Iancu,
mailto:bog...@opensips.org>> wrote:

Hi Yury,

it looks like you some multiple issues, overlapping here. The
traps you sent here have nothing to do with the auto-scaling,
but with a blocking TCP connect for SIP - most of the procs
get blocked into a sync TCP connect.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com  

OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/  


On 9/12/22 4:39 PM, Yury Kirsanov wrote:

Hi Bogdan,
I've applied the patch (had to find where to apply it
manually for 3.2.8 downloaded from Web page, line 1568
instead of 1652) and restarted the server with only about
300-350 SIP devices and immediately got into same issue. I'm
attaching two GDB dumps made within several minutes from
each other. Autoscale was now OFF, please see my previous
message as currently for some reason I'm experiencing
lockups even when it's off :(



Best regards,
Yury.

On Mon, Sep 12, 2022 at 7:48 PM Bogdan-Andrei Iancu
mailto:bog...@opensips.org>> wrote:

Hi Yuri,

Could you give this patch a try? it should fix the
blocking you experience (it should apply on 3.2 too).

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer