Re: [OpenSIPS-Users] Nonce expire
Hi Daniel, the nonce checking assumes kind of state and does not correctly work if you do not handle properly the retransmissions. For example: 1) you get INVITE with credentials, you successfully authenticate it and you start processing it for forwarding 2) before sending a reply for the first INVITE, you get a retransmission for it - same credentials, auth fails - negative reply. so, you end up with an inconsistency - you did both reply and forward as you differently processed the transmissions due the nonce checking What you can do is to create the transaction state before the authentication (using the t_newtran() ), so that you retransmissions will be absorbed by the transaction engine. Regards, Bogdan Daniel Goepp wrote: Thanks for the update. I did notice that parameter, but I don't want to disable it. I guess for now I will just accept the higher load of authing every register. I also found that I had a device that was not behaving right either. I will look into this one further. Sorry for the flood of emails, I was really banging my head the other day on this one. -dg On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu bog...@voice-system.ro mailto:bog...@voice-system.ro wrote: Hi Daniel, it it because the nonce reusage - opensips (by default) uses a nonce for a single authentication, after that it reports it as stale. If you want to disable this behaviour (to enable nonce reusage), see the auth param disable_nonce_check : http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317 Regards, Bogdan Daniel Goepp wrote: Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those are really just -4 first, no credentials, then -3 stale nonce -dg On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp d...@goepp.net mailto:d...@goepp.net mailto:d...@goepp.net mailto:d...@goepp.net wrote: A quick follow up on this, I enabled some logging, but the retcode is not making any sense to me (probably because I'm using it wrong). From my config: xlog (REGISTER $fu); # authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize(, subscriber)) { xlog (Not authorized - challenging, error: $retcode); www_challenge(, 1); exit; } Then in the log: Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967293 Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN. -dg On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net mailto:d...@goepp.net mailto:d...@goepp.net mailto:d...@goepp.net wrote: I'm having some trouble with nonce expiring I believe. The
Re: [OpenSIPS-Users] Nonce expire
Hi Daniel, it it because the nonce reusage - opensips (by default) uses a nonce for a single authentication, after that it reports it as stale. If you want to disable this behaviour (to enable nonce reusage), see the auth param disable_nonce_check : http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317 Regards, Bogdan Daniel Goepp wrote: Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those are really just -4 first, no credentials, then -3 stale nonce -dg On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp d...@goepp.net mailto:d...@goepp.net wrote: A quick follow up on this, I enabled some logging, but the retcode is not making any sense to me (probably because I'm using it wrong). From my config: xlog (REGISTER $fu); # authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize(, subscriber)) { xlog (Not authorized - challenging, error: $retcode); www_challenge(, 1); exit; } Then in the log: Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967293 Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN. -dg On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net mailto:d...@goepp.net wrote: I'm having some trouble with nonce expiring I believe. The problem is that every other one of my endpoint registrations is doing an auth challenge w/401. From my config: modparam(registrar, default_expires, 60) modparam(registrar, min_expires, 60) modparam(registrar, max_expires, 60 modparam(auth, nonce_expire, 3600) From this I would expect the devices to try to register every 60 seconds, and get challenged every hour with a new nonce. Comments on why OpenSIPS is challenging every other registration? Thanks -dg ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Bogdan-Andrei Iancu www.voice-system.ro ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Nonce expire
Thanks for the update. I did notice that parameter, but I don't want to disable it. I guess for now I will just accept the higher load of authing every register. I also found that I had a device that was not behaving right either. I will look into this one further. Sorry for the flood of emails, I was really banging my head the other day on this one. -dg On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu bog...@voice-system.ro wrote: Hi Daniel, it it because the nonce reusage - opensips (by default) uses a nonce for a single authentication, after that it reports it as stale. If you want to disable this behaviour (to enable nonce reusage), see the auth param disable_nonce_check : http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317 Regards, Bogdan Daniel Goepp wrote: Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those are really just -4 first, no credentials, then -3 stale nonce -dg On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp d...@goepp.net mailto:d...@goepp.net wrote: A quick follow up on this, I enabled some logging, but the retcode is not making any sense to me (probably because I'm using it wrong). From my config: xlog (REGISTER $fu); # authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize(, subscriber)) { xlog (Not authorized - challenging, error: $retcode); www_challenge(, 1); exit; } Then in the log: Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto: sip%3a1...@vidtel.com sip%253a1...@vidtel.com Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967293 Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto: sip%3a1...@vidtel.com sip%253a1...@vidtel.com Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto: sip%3a1...@vidtel.com sip%253a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto: sip%3a1...@vidtel.com sip%253a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto: sip%3a1...@vidtel.com sip%253a1...@vidtel.com Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto: sip%3a1...@vidtel.com sip%253a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto: sip%3a1...@vidtel.com sip%253a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto: sip%3a1...@vidtel.com sip%253a1...@vidtel.com Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN. -dg On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net mailto:d...@goepp.net wrote: I'm having some trouble with nonce expiring I believe. The problem is that every other one of my endpoint registrations is doing an auth challenge w/401. From my config: modparam(registrar, default_expires, 60) modparam(registrar, min_expires, 60) modparam(registrar, max_expires, 60 modparam(auth, nonce_expire, 3600) From this I would expect the devices to try to register every 60 seconds, and get challenged every hour with a new nonce. Comments on why OpenSIPS is challenging every other registration? Thanks -dg ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Bogdan-Andrei Iancu www.voice-system.ro ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] Nonce expire
I'm having some trouble with nonce expiring I believe. The problem is that every other one of my endpoint registrations is doing an auth challenge w/401. From my config: modparam(registrar, default_expires, 60) modparam(registrar, min_expires, 60) modparam(registrar, max_expires, 60 modparam(auth, nonce_expire, 3600) From this I would expect the devices to try to register every 60 seconds, and get challenged every hour with a new nonce. Comments on why OpenSIPS is challenging every other registration? Thanks -dg ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Nonce expire
A quick follow up on this, I enabled some logging, but the retcode is not making any sense to me (probably because I'm using it wrong). From my config: xlog (REGISTER $fu); # authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize(, subscriber)) { xlog (Not authorized - challenging, error: $retcode); www_challenge(, 1); exit; } Then in the log: Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967293 Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN. -dg On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net wrote: I'm having some trouble with nonce expiring I believe. The problem is that every other one of my endpoint registrations is doing an auth challenge w/401. From my config: modparam(registrar, default_expires, 60) modparam(registrar, min_expires, 60) modparam(registrar, max_expires, 60 modparam(auth, nonce_expire, 3600) From this I would expect the devices to try to register every 60 seconds, and get challenged every hour with a new nonce. Comments on why OpenSIPS is challenging every other registration? Thanks -dg ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Nonce expire
Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those are really just -4 first, no credentials, then -3 stale nonce -dg On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp d...@goepp.net wrote: A quick follow up on this, I enabled some logging, but the retcode is not making any sense to me (probably because I'm using it wrong). From my config: xlog (REGISTER $fu); # authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize(, subscriber)) { xlog (Not authorized - challenging, error: $retcode); www_challenge(, 1); exit; } Then in the log: Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967293 Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not authorized - challenging, error: 4294967292 Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN. -dg On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net wrote: I'm having some trouble with nonce expiring I believe. The problem is that every other one of my endpoint registrations is doing an auth challenge w/401. From my config: modparam(registrar, default_expires, 60) modparam(registrar, min_expires, 60) modparam(registrar, max_expires, 60 modparam(auth, nonce_expire, 3600) From this I would expect the devices to try to register every 60 seconds, and get challenged every hour with a new nonce. Comments on why OpenSIPS is challenging every other registration? Thanks -dg ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users