Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-16 Thread Liviu Chircu 

On 16.08.2021 20:44, Adrian Georgescu wrote:
There are some leftovers in the module documentation related to 
password_column_2:


https://opensips.org/html/docs/modules/3.2.x/auth_db.html#param_calculate_ha1 



Thank you!  Fixed!

--
Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com
OpenSIPS Summit 2021 Distributed | www.opensips.org/events

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-16 Thread Adrian Georgescu 
I confirm this patch fixed the issue. Thank you Liviu!

Regards,
Adrian


> On 16 Aug 2021, at 12:43, Liviu Chircu  wrote:
> 
> On 12.08.2021 22:04, Adrian Georgescu wrote:
>> Aug 12 20:51:59 live01 /usr/sbin/opensips[10064]: 
>> ERROR:db_mysql:db_mysql_store_result: driver error: Commands out of sync; 
>> you can't run this command now
>> Aug 12 20:51:59 live01 /usr/sbin/opensips[10064]: ERROR:auth_db:get_ha1: 
>> failed to query database
>> Aug 12 20:52:00 live01 /usr/sbin/opensips[10057]: 
>> ERROR:db_mysql:db_mysql_store_result: driver error: Commands out of sync; 
>> you can't run this command now
>> Aug 12 20:52:00 live01 /usr/sbin/opensips[10057]: ERROR:auth_db:get_ha1: 
>> failed to query database
> 
> Hi Adrian,
> 
> This issue should now be fixed on latest 3.2, per [1].
> 
> [1]: https://github.com/OpenSIPS/opensips/commit/c871d9edfce
> 
> Best,
> 
> -- 
> Liviu Chircu
> www.twitter.com/liviuchircu | www.opensips-solutions.com
> OpenSIPS Summit 2021 Distributed | www.opensips.org/events
> 
> 
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-16 Thread Adrian Georgescu 
There are some leftovers in the module documentation related to 
password_column_2:

https://opensips.org/html/docs/modules/3.2.x/auth_db.html#param_calculate_ha1 



The “password_column_2” column contains also HA1 strings but they should be 
calculated including the domain in the username parameter (as opposed to 
password_column which (when containing HA1 strings) should always contain HA1 
strings calculated without domain in username.


> On 16 Aug 2021, at 14:33, Adrian Georgescu  wrote:
> 
> Hi Liviu,
> 
> I understand now better the purpose of that field and is indeed not needed 
> anymore!
> 
> Regards,
> Adrian
> 
>> On 16 Aug 2021, at 12:55, Liviu Chircu  wrote:
>> 
>> On 13.08.2021 14:12, Adrian Georgescu wrote:
>>> 
>>> I would very much like to see this feature ported back to 3.2 please!
>> 
>> Hi,
>> 
>> Could you offer a bit more info on why you would want it?  Like what kind of 
>> SIP phones are still out there that cannot handle the SIP auth specs in 
>> 2021?  If you think about it, they won't work with other SIP servers: no 
>> commercial SIP server and no Asterisk, FS, PJSIP, SIP.js, drachtio, 
>> reSIPprocate, etc.:  Not a single one of these implement this crazy "ha1b" 
>> feature, and none of them give a single damn if the phone is poorly 
>> implemented and appends the "@realm" part in the username component: they 
>> will happily reply with 401 Unauthorized until the implementor fixes the 
>> phone.
>> 
>> So why should OpenSIPS have this feature? Also, I suggest you open a GitHub 
>> feature request [1] as well on this topic -- maybe we get more opinions from 
>> there as well.
>> 
>> [1]: https://github.com/OpenSIPS/opensips/issues
>> 
>> Best,
>> 
>> -- 
>> Liviu Chircu
>> www.twitter.com/liviuchircu | www.opensips-solutions.com
>> OpenSIPS Summit 2021 Distributed | www.opensips.org/events
>> 
> 

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-16 Thread Adrian Georgescu 
Hi Liviu,

I understand now better the purpose of that field and is indeed not needed 
anymore!

Regards,
Adrian

> On 16 Aug 2021, at 12:55, Liviu Chircu  wrote:
> 
> On 13.08.2021 14:12, Adrian Georgescu wrote:
>> 
>> I would very much like to see this feature ported back to 3.2 please!
> 
> Hi,
> 
> Could you offer a bit more info on why you would want it?  Like what kind of 
> SIP phones are still out there that cannot handle the SIP auth specs in 2021? 
>  If you think about it, they won't work with other SIP servers: no commercial 
> SIP server and no Asterisk, FS, PJSIP, SIP.js, drachtio, reSIPprocate, etc.:  
> Not a single one of these implement this crazy "ha1b" feature, and none of 
> them give a single damn if the phone is poorly implemented and appends the 
> "@realm" part in the username component: they will happily reply with 401 
> Unauthorized until the implementor fixes the phone.
> 
> So why should OpenSIPS have this feature? Also, I suggest you open a GitHub 
> feature request [1] as well on this topic -- maybe we get more opinions from 
> there as well.
> 
> [1]: https://github.com/OpenSIPS/opensips/issues
> 
> Best,
> 
> -- 
> Liviu Chircu
> www.twitter.com/liviuchircu | www.opensips-solutions.com
> OpenSIPS Summit 2021 Distributed | www.opensips.org/events
> 


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-16 Thread Liviu Chircu 

On 13.08.2021 14:12, Adrian Georgescu wrote:


I would very much like to see this feature ported back to 3.2 please!


Hi,

Could you offer a bit more info on why you would want it?  Like what 
kind of SIP phones are still out there that cannot handle the SIP auth 
specs in 2021?  If you think about it, they won't work with other SIP 
servers: no commercial SIP server and no Asterisk, FS, PJSIP, SIP.js, 
drachtio, reSIPprocate, etc.:  Not a single one of these implement this 
crazy "ha1b" feature, and none of them give a single damn if the phone 
is poorly implemented and appends the "@realm" part in the username 
component: they will happily reply with 401 Unauthorized until the 
implementor fixes the phone.


So why should OpenSIPS have this feature? Also, I suggest you open a 
GitHub feature request [1] as well on this topic -- maybe we get more 
opinions from there as well.


[1]: https://github.com/OpenSIPS/opensips/issues

Best,

--
Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com
OpenSIPS Summit 2021 Distributed | www.opensips.org/events


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-16 Thread Liviu Chircu 

On 12.08.2021 22:04, Adrian Georgescu wrote:
Aug 12 20:51:59 live01 /usr/sbin/opensips[10064]: 
ERROR:db_mysql:db_mysql_store_result: driver error: Commands out of 
sync; you can't run this command now
Aug 12 20:51:59 live01 /usr/sbin/opensips[10064]: 
ERROR:auth_db:get_ha1: failed to query database
Aug 12 20:52:00 live01 /usr/sbin/opensips[10057]: 
ERROR:db_mysql:db_mysql_store_result: driver error: Commands out of 
sync; you can't run this command now
Aug 12 20:52:00 live01 /usr/sbin/opensips[10057]: 
ERROR:auth_db:get_ha1: failed to query database


Hi Adrian,

This issue should now be fixed on latest 3.2, per [1].

[1]: https://github.com/OpenSIPS/opensips/commit/c871d9edfce

Best,

--
Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com
OpenSIPS Summit 2021 Distributed | www.opensips.org/events


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-13 Thread Adrian Georgescu 
On 12 Aug 2021, at 13:04, Liviu Chircu  wrote:
> 
> On 12.08.2021 18:36, Adrian Georgescu wrote:
>> The auth_db module has some dramatic changes which are either undocumented 
>> or not backwards compatible and is unclear how to handle this.
>> 
>> https://opensips.org/docs/modules/3.1.x/auth_db.html#param_password_column_2 
>> Hi
>>  Adrian,
> 
> Indeed, with the addition of RFC 8760 support (support for SHA-256 and 
> SHA-512-256 auth algorithms), me and Maksym Sobolyev decided to try and 
> remove the "ha1b" feature, originally designed to accommodate some broken SIP 
> UAs who cannot follow the basic SIP authentication spec.  The feature had 
> been in there since the very beginnings, and we were not sure if anyone is 
> really benefiting from it anymore nowadays.
> 
> A strong reason for removing "ha1b" was the sheer number of hashes to be 
> stored per subscriber.  Since we now have 3 algorithms (MD5, SHA-256, 
> SHA-512-256), there are 3 hash-columns to store.  With the "ha1b" feature, 
> there would be 2 x 3 = 6 hashes in total to store, per user.  So you can see 
> where this is going: "Can we get away with dropping ha1b and storing half the 
> data per user?" ... was the big question.
> 
> Still, we agreed that if there is still enough traction for the "ha1b" 
> feature from the community, we can easily re-add the ha1b logic and 3 more 
> columns to the table and backport everything to 3.2.  It's a trivial task, 
> frankly.
> 
Hi Liviu,

I would very much like to see this feature ported back to 3.2 please!

Regards,
Adrian
 


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-12 Thread Liviu Chircu 

On 12.08.2021 22:04, Adrian Georgescu wrote:


What can be the reason for this?

This exact issue seems to be the object of two identical GitHub issues: 
[1], [2].  Will take a look at this tomorrow and see if I can reproduce.


[1]: https://github.com/OpenSIPS/opensips/issues/2586
[2]: https://github.com/OpenSIPS/opensips/issues/2593

Cheers,

--
Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com
OpenSIPS Summit 2021 Distributed | www.opensips.org/events


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-12 Thread Adrian Georgescu 
After removing the ha1b column, I am now getting the following errors and 
authentication does not work:

Aug 12 20:51:59 live01 /usr/sbin/opensips[10064]: 
ERROR:db_mysql:db_mysql_store_result: driver error: Commands out of sync; you 
can't run this command now
Aug 12 20:51:59 live01 /usr/sbin/opensips[10064]: ERROR:auth_db:get_ha1: failed 
to query database
Aug 12 20:52:00 live01 /usr/sbin/opensips[10057]: 
ERROR:db_mysql:db_mysql_store_result: driver error: Commands out of sync; you 
can't run this command now
Aug 12 20:52:00 live01 /usr/sbin/opensips[10057]: ERROR:auth_db:get_ha1: failed 
to query database

auth_db module configuration:

modparam("auth_db", "calculate_ha1", 0)
modparam("auth_db", "password_column",   "ha1")
modparam("auth_db", "user_column",   "username")
modparam("auth_db", "domain_column", "domain”)

What can be the reason for this?

Regards,
Adrian



> On 12 Aug 2021, at 13:04, Liviu Chircu  wrote:
> 
> On 12.08.2021 18:36, Adrian Georgescu wrote:
>> The auth_db module has some dramatic changes which are either undocumented 
>> or not backwards compatible and is unclear how to handle this.
>> 
>> https://opensips.org/docs/modules/3.1.x/auth_db.html#param_password_column_2 
>> Hi
>>  Adrian,
> 
> Indeed, with the addition of RFC 8760 support (support for SHA-256 and 
> SHA-512-256 auth algorithms), me and Maksym Sobolyev decided to try and 
> remove the "ha1b" feature, originally designed to accommodate some broken SIP 
> UAs who cannot follow the basic SIP authentication spec.  The feature had 
> been in there since the very beginnings, and we were not sure if anyone is 
> really benefiting from it anymore nowadays.
> 
> A strong reason for removing "ha1b" was the sheer number of hashes to be 
> stored per subscriber.  Since we now have 3 algorithms (MD5, SHA-256, 
> SHA-512-256), there are 3 hash-columns to store.  With the "ha1b" feature, 
> there would be 2 x 3 = 6 hashes in total to store, per user.  So you can see 
> where this is going: "Can we get away with dropping ha1b and storing half the 
> data per user?" ... was the big question.
> 
> Still, we agreed that if there is still enough traction for the "ha1b" 
> feature from the community, we can easily re-add the ha1b logic and 3 more 
> columns to the table and backport everything to 3.2.  It's a trivial task, 
> frankly.
> 
> The big question is: on your platform(s), can you control the software in all 
> SIP UAs that incorrectly include "realm" information in the "username" field 
> (which should really be just the user's name!) and fix the problem on the 
> phone side?
> 
> PS: I noticed the 3.2 migration page is missing any info on ha1b.  Will get 
> it fixed soon, depending on the outcome of the discussion.
> 
> Best Regards,
> 
> -- 
> Liviu Chircu
> www.twitter.com/liviuchircu  | 
> www.opensips-solutions.com 
> OpenSIPS Summit 2021 Distributed | www.opensips.org/events 
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] auth_db module in 3.2.2

2021-08-12 Thread Liviu Chircu 

On 12.08.2021 18:36, Adrian Georgescu wrote:
The auth_db module has some dramatic changes which are either 
undocumented or not backwards compatible and is unclear how to handle 
this.


https://opensips.org/docs/modules/3.1.x/auth_db.html#param_password_column_2 



Hi Adrian,

Indeed, with the addition of RFC 8760 support (support for SHA-256 and 
SHA-512-256 auth algorithms), me and Maksym Sobolyev decided to try and 
remove the "ha1b" feature, originally designed to accommodate some 
broken SIP UAs who cannot follow the basic SIP authentication spec.  The 
feature had been in there since the very beginnings, and we were not 
sure if anyone is really benefiting from it anymore nowadays.


A strong reason for removing "ha1b" was the sheer number of hashes to be 
stored per subscriber.  Since we now have 3 algorithms (MD5, SHA-256, 
SHA-512-256), there are 3 hash-columns to store.  With the "ha1b" 
feature, there would be 2 x 3 = 6 hashes in total to store, per user.  
So you can see where this is going: /"Can we get away with dropping ha1b 
and storing half the data per user?"/ ... was the big question.


Still, we agreed that if there is still enough traction for the "ha1b" 
feature from the community, we can easily re-add the ha1b logic and 3 
more columns to the table and backport everything to 3.2.  It's a 
trivial task, frankly.


The big question is: on your platform(s), can you control the software 
in all SIP UAs that incorrectly include "realm" information in the 
"username" field (which should really be just the *user**'s **name*!) 
and fix the problem on the phone side?


PS: I noticed the 3.2 migration page is missing any info on ha1b.  Will 
get it fixed soon, depending on the outcome of the discussion.


Best Regards,

--
Liviu Chircu
www.twitter.com/liviuchircu | www.opensips-solutions.com
OpenSIPS Summit 2021 Distributed | www.opensips.org/events

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] auth_db module in 3.2.2

2021-08-12 Thread Adrian Georgescu 
The auth_db module has some dramatic changes which are either undocumented or 
not backwards compatible and is unclear how to handle this.

https://opensips.org/docs/modules/3.1.x/auth_db.html#param_password_column_2 


Aug 12 17:34:10 [3179] CRITICAL:core:yyerror: parse error in 
/etc/opensips/opensips.cfg.tmp:1170:20-21: Parameter  not 
found in module  - can't set
Aug 12 17:34:10 [3179] modparam("auth_db", "calculate_ha1", 0)
Aug 12 17:34:10 [3179] modparam("auth_db", "password_column",   "ha1")
Aug 12 17:34:10 [3179] modparam("auth_db", "password_column_2", "ha1b")
Aug 12 17:34:10 [3179] ^~
Aug 12 17:34:10 [3179] modparam("auth_db", "user_column",   "username")
Aug 12 17:34:10 [3179] modparam("auth_db", "domain_column", "domain")
Aug 12 17:34:10 [3179] ERROR:core:parse_opensips_cfg: bad config file (1 errors)

password_column_2 parameter has vanished in 3.2.2 and we relied heavily on its 
presence as it contained a recalculate hash including the domain name.

How should we deal with this?

Regards,
Adrian

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users