Re: [OpenSIPS-Users] Nonce expire
Hi Daniel,
the nonce checking assumes kind of state and does not correctly work if
you do not handle properly the retransmissions. For example:
1) you get INVITE with credentials, you successfully authenticate it
and you start processing it for forwarding
2) before sending a reply for the first INVITE, you get a
retransmission for it - same credentials, auth fails - negative reply.
so, you end up with an inconsistency - you did both reply and forward
as you differently processed the transmissions due the nonce checking
What you can do is to create the transaction state before the
authentication (using the t_newtran() ), so that you retransmissions
will be absorbed by the transaction engine.
Regards,
Bogdan
Daniel Goepp wrote:
Thanks for the update. I did notice that parameter, but I don't want
to disable it. I guess for now I will just accept the higher load of
authing every register. I also found that I had a device that was not
behaving right either. I will look into this one further. Sorry for
the flood of emails, I was really banging my head the other day on
this one.
-dg
On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu
bog...@voice-system.ro mailto:bog...@voice-system.ro wrote:
Hi Daniel,
it it because the nonce reusage - opensips (by default) uses a
nonce for
a single authentication, after that it reports it as stale.
If you want to disable this behaviour (to enable nonce reusage),
see the
auth param disable_nonce_check :
http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317
Regards,
Bogdan
Daniel Goepp wrote:
Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those
are really just -4 first, no credentials, then -3 stale nonce
-dg
On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp d...@goepp.net
mailto:d...@goepp.net
mailto:d...@goepp.net mailto:d...@goepp.net wrote:
A quick follow up on this, I enabled some logging, but the retcode
is not making any sense to me (probably because I'm using it wrong).
From my config:
xlog (REGISTER $fu);
# authenticate the REGISTER requests (uncomment to
enable auth)
if (!www_authorize(, subscriber))
{
xlog (Not authorized - challenging,
error:
$retcode);
www_challenge(, 1);
exit;
}
Then in the log:
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com
Apr 2 13:49:38 ip-10-160-23-47
/usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967293
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com
Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47
/usr/local/sbin/opensips[30182]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com
Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47
/usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
mailto:sip%3a1...@vidtel.com mailto:sip%253a1...@vidtel.com
Also I'm running 1.6.2-tls compiled today from latest 1_6
branch in SVN.
-dg
On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net
mailto:d...@goepp.net
mailto:d...@goepp.net mailto:d...@goepp.net wrote:
I'm having some trouble with nonce expiring I believe. The
Re: [OpenSIPS-Users] Nonce expire
Hi Daniel,
it it because the nonce reusage - opensips (by default) uses a nonce for
a single authentication, after that it reports it as stale.
If you want to disable this behaviour (to enable nonce reusage), see the
auth param disable_nonce_check :
http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317
Regards,
Bogdan
Daniel Goepp wrote:
Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those
are really just -4 first, no credentials, then -3 stale nonce
-dg
On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp d...@goepp.net
mailto:d...@goepp.net wrote:
A quick follow up on this, I enabled some logging, but the retcode
is not making any sense to me (probably because I'm using it wrong).
From my config:
xlog (REGISTER $fu);
# authenticate the REGISTER requests (uncomment to
enable auth)
if (!www_authorize(, subscriber))
{
xlog (Not authorized - challenging, error:
$retcode);
www_challenge(, 1);
exit;
}
Then in the log:
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967293
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com mailto:sip%3a1...@vidtel.com
Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN.
-dg
On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net
mailto:d...@goepp.net wrote:
I'm having some trouble with nonce expiring I believe. The problem
is that every other one of my endpoint registrations is doing an auth
challenge w/401.
From my config:
modparam(registrar, default_expires, 60)
modparam(registrar, min_expires, 60)
modparam(registrar, max_expires, 60
modparam(auth, nonce_expire, 3600)
From this I would expect the devices to try to register every 60
seconds, and get challenged every hour with a new nonce.
Comments on why OpenSIPS is challenging every other registration?
Thanks
-dg
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Bogdan-Andrei Iancu
www.voice-system.ro
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Nonce expire
Thanks for the update. I did notice that parameter, but I don't want to
disable it. I guess for now I will just accept the higher load of authing
every register. I also found that I had a device that was not behaving
right either. I will look into this one further. Sorry for the flood of
emails, I was really banging my head the other day on this one.
-dg
On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu bog...@voice-system.ro
wrote:
Hi Daniel,
it it because the nonce reusage - opensips (by default) uses a nonce for
a single authentication, after that it reports it as stale.
If you want to disable this behaviour (to enable nonce reusage), see the
auth param disable_nonce_check :
http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317
Regards,
Bogdan
Daniel Goepp wrote:
Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those
are really just -4 first, no credentials, then -3 stale nonce
-dg
On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp d...@goepp.net
mailto:d...@goepp.net wrote:
A quick follow up on this, I enabled some logging, but the retcode
is not making any sense to me (probably because I'm using it wrong).
From my config:
xlog (REGISTER $fu);
# authenticate the REGISTER requests (uncomment to
enable auth)
if (!www_authorize(, subscriber))
{
xlog (Not authorized - challenging, error:
$retcode);
www_challenge(, 1);
exit;
}
Then in the log:
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto:
sip%3a1...@vidtel.com sip%253a1...@vidtel.com
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967293
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto:
sip%3a1...@vidtel.com sip%253a1...@vidtel.com
Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto:
sip%3a1...@vidtel.com sip%253a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto:
sip%3a1...@vidtel.com sip%253a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto:
sip%3a1...@vidtel.com sip%253a1...@vidtel.com
Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto:
sip%3a1...@vidtel.com sip%253a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto:
sip%3a1...@vidtel.com sip%253a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
REGISTER sip:1...@vidtel.com sip%3a1...@vidtel.com mailto:
sip%3a1...@vidtel.com sip%253a1...@vidtel.com
Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in
SVN.
-dg
On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net
mailto:d...@goepp.net wrote:
I'm having some trouble with nonce expiring I believe. The problem
is that every other one of my endpoint registrations is doing an auth
challenge w/401.
From my config:
modparam(registrar, default_expires, 60)
modparam(registrar, min_expires, 60)
modparam(registrar, max_expires, 60
modparam(auth, nonce_expire, 3600)
From this I would expect the devices to try to register every 60
seconds, and get challenged every hour with a new nonce.
Comments on why OpenSIPS is challenging every other registration?
Thanks
-dg
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Bogdan-Andrei Iancu
www.voice-system.ro
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] Nonce expire
I'm having some trouble with nonce expiring I believe. The problem is that every other one of my endpoint registrations is doing an auth challenge w/401. From my config: modparam(registrar, default_expires, 60) modparam(registrar, min_expires, 60) modparam(registrar, max_expires, 60 modparam(auth, nonce_expire, 3600) From this I would expect the devices to try to register every 60 seconds, and get challenged every hour with a new nonce. Comments on why OpenSIPS is challenging every other registration? Thanks -dg ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Nonce expire
A quick follow up on this, I enabled some logging, but the retcode is not
making any sense to me (probably because I'm using it wrong).
From my config:
xlog (REGISTER $fu);
# authenticate the REGISTER requests (uncomment to enable
auth)
if (!www_authorize(, subscriber))
{
xlog (Not authorized - challenging, error:
$retcode);
www_challenge(, 1);
exit;
}
Then in the log:
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967293
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN.
-dg
On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net wrote:
I'm having some trouble with nonce expiring I believe. The problem is that
every other one of my endpoint registrations is doing an auth challenge
w/401.
From my config:
modparam(registrar, default_expires, 60)
modparam(registrar, min_expires, 60)
modparam(registrar, max_expires, 60
modparam(auth, nonce_expire, 3600)
From this I would expect the devices to try to register every 60 seconds,
and get challenged every hour with a new nonce.
Comments on why OpenSIPS is challenging every other registration?
Thanks
-dg
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Nonce expire
Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those are
really just -4 first, no credentials, then -3 stale nonce
-dg
On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp d...@goepp.net wrote:
A quick follow up on this, I enabled some logging, but the retcode is not
making any sense to me (probably because I'm using it wrong).
From my config:
xlog (REGISTER $fu);
# authenticate the REGISTER requests (uncomment to enable
auth)
if (!www_authorize(, subscriber))
{
xlog (Not authorized - challenging, error:
$retcode);
www_challenge(, 1);
exit;
}
Then in the log:
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967293
Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967292
Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com sip%3a1...@vidtel.com
Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN.
-dg
On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp d...@goepp.net wrote:
I'm having some trouble with nonce expiring I believe. The problem is
that every other one of my endpoint registrations is doing an auth challenge
w/401.
From my config:
modparam(registrar, default_expires, 60)
modparam(registrar, min_expires, 60)
modparam(registrar, max_expires, 60
modparam(auth, nonce_expire, 3600)
From this I would expect the devices to try to register every 60 seconds,
and get challenged every hour with a new nonce.
Comments on why OpenSIPS is challenging every other registration?
Thanks
-dg
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
