subject:"Re\: \[OpenSIPS\-Users\] Nonce expire"

Re: [OpenSIPS-Users] Nonce expire

2010-04-12 Thread Bogdan-Andrei Iancu

Hi Daniel,

the nonce checking assumes kind of state and does not correctly work if 
you do not handle properly the retransmissions. For example:

   1) you get INVITE with credentials, you successfully authenticate it 
and you start processing it for forwarding
   2) before sending a reply for the first INVITE, you get a 
retransmission for it -> same credentials, auth fails -> negative reply.

so, you end up with an inconsistency -> you did both reply and forward 
as you differently processed the transmissions due the nonce checking

What you can do is to create the transaction state before the 
authentication (using the t_newtran() ), so that you retransmissions 
will be absorbed by the transaction engine.

Regards,
Bogdan

Daniel Goepp wrote:
> Thanks for the update.  I did notice that parameter, but I don't want 
> to disable it.  I guess for now I will just accept the higher load of 
> authing every register.  I also found that I had a device that was not 
> behaving right either.  I will look into this one further.  Sorry for 
> the flood of emails, I was really banging my head the other day on 
> this one.
>
> -dg
>
>
> On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu 
> mailto:bog...@voice-system.ro>> wrote:
>
> Hi Daniel,
>
> it it because the nonce reusage - opensips (by default) uses a
> nonce for
> a single authentication, after that it reports it as stale.
> If you want to disable this behaviour (to enable nonce reusage),
> see the
> auth param "disable_nonce_check" :
>http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317
>
> Regards,
> Bogdan
>
> Daniel Goepp wrote:
> > Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those
> > are really just -4 first, no credentials, then -3 stale nonce
> >
> > -dg
> >
> >
> > On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp  
> > >> wrote:
> > >
> > > A quick follow up on this, I enabled some logging, but the retcode
> > is not making any sense to me (probably because I'm using it wrong).
> > >
> > > From my config:
> > >
> > > xlog ("REGISTER $fu");
> > > # authenticate the REGISTER requests (uncomment to
> > enable auth)
> > > if (!www_authorize("", "subscriber"))
> > > {
> > > xlog ("Not authorized - challenging,
> error:
> > $retcode");
> > > www_challenge("", "1");
> > > exit;
> > > }
> > >
> > > Then in the log:
> > >
> > > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1...@vidtel.com 
> >
> > > Apr  2 13:49:38 ip-10-160-23-47
> /usr/local/sbin/opensips[30180]: Not
> > authorized - challenging, error: 4294967293
> > > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1...@vidtel.com 
> >
> > > Apr  2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1...@vidtel.com 
> >
> > > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1...@vidtel.com 
> >
> > > Apr  2 13:50:18 ip-10-160-23-47
> /usr/local/sbin/opensips[30182]: Not
> > authorized - challenging, error: 4294967292
> > > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1...@vidtel.com 
> >
> > > Apr  2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1...@vidtel.com 
> >
> > > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1...@vidtel.com 
> >
> > > Apr  2 13:50:58 ip-10-160-23-47
> /usr/local/sbin/opensips[30180]: Not
> > authorized - challenging, error: 4294967292
> > > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1...@vidtel.com 
> >
> > >
> > > Also I'm running 1.6.2-tls compiled today from latest 1_6
> branch in SVN.
> > >
> > > -dg
> > >
> > >
> > > On F

Re: [OpenSIPS-Users] Nonce expire

2010-04-03 Thread Daniel Goepp

Thanks for the update.  I did notice that parameter, but I don't want to
disable it.  I guess for now I will just accept the higher load of authing
every register.  I also found that I had a device that was not behaving
right either.  I will look into this one further.  Sorry for the flood of
emails, I was really banging my head the other day on this one.

-dg


On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu  wrote:

> Hi Daniel,
>
> it it because the nonce reusage - opensips (by default) uses a nonce for
> a single authentication, after that it reports it as stale.
> If you want to disable this behaviour (to enable nonce reusage), see the
> auth param "disable_nonce_check" :
>http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317
>
> Regards,
> Bogdan
>
> Daniel Goepp wrote:
> > Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those
> > are really just -4 first, no credentials, then -3 stale nonce
> >
> > -dg
> >
> >
> > On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp  > > wrote:
> > >
> > > A quick follow up on this, I enabled some logging, but the retcode
> > is not making any sense to me (probably because I'm using it wrong).
> > >
> > > From my config:
> > >
> > > xlog ("REGISTER $fu");
> > > # authenticate the REGISTER requests (uncomment to
> > enable auth)
> > > if (!www_authorize("", "subscriber"))
> > > {
> > > xlog ("Not authorized - challenging, error:
> > $retcode");
> > > www_challenge("", "1");
> > > exit;
> > > }
> > >
> > > Then in the log:
> > >
> > > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1...@vidtel.com   sip%3a1...@vidtel.com >
> > > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
> > authorized - challenging, error: 4294967293
> > > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1...@vidtel.com   sip%3a1...@vidtel.com >
> > > Apr  2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1...@vidtel.com   sip%3a1...@vidtel.com >
> > > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1...@vidtel.com   sip%3a1...@vidtel.com >
> > > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
> > authorized - challenging, error: 4294967292
> > > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1...@vidtel.com   sip%3a1...@vidtel.com >
> > > Apr  2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1...@vidtel.com   sip%3a1...@vidtel.com >
> > > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1...@vidtel.com   sip%3a1...@vidtel.com >
> > > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
> > authorized - challenging, error: 4294967292
> > > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1...@vidtel.com   sip%3a1...@vidtel.com >
> > >
> > > Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in
> SVN.
> > >
> > > -dg
> > >
> > >
> > > On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp  > > wrote:
> > >>
> > >> I'm having some trouble with nonce expiring I believe.  The problem
> > is that every other one of my endpoint registrations is doing an auth
> > challenge w/401.
> > >>
> > >> From my config:
> > >> modparam("registrar", "default_expires", 60)
> > >> modparam("registrar", "min_expires", 60)
> > >> modparam("registrar", "max_expires", 60
> > >>
> > >> modparam("auth", "nonce_expire", 3600)
> > >>
> > >> From this I would expect the devices to try to register every 60
> > seconds, and get challenged every hour with a new nonce.
> > >>
> > >> Comments on why OpenSIPS is challenging every other registration?
> > >>
> > >> Thanks
> > >>
> > >> -dg
> > >
> >
> > 
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> --
> Bogdan-Andrei Iancu
> www.voice-system.ro
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Nonce expire

2010-04-02 Thread Bogdan-Andrei Iancu

Hi Daniel,

it it because the nonce reusage - opensips (by default) uses a nonce for 
a single authentication, after that it reports it as stale.
If you want to disable this behaviour (to enable nonce reusage), see the 
auth param "disable_nonce_check" :
http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317

Regards,
Bogdan

Daniel Goepp wrote:
> Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those 
> are really just -4 first, no credentials, then -3 stale nonce
>
> -dg
>
>
> On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp  > wrote:
> >
> > A quick follow up on this, I enabled some logging, but the retcode 
> is not making any sense to me (probably because I'm using it wrong). 
> >
> > From my config:
> >
> > xlog ("REGISTER $fu");
> > # authenticate the REGISTER requests (uncomment to 
> enable auth)
> > if (!www_authorize("", "subscriber"))
> > {
> > xlog ("Not authorized - challenging, error: 
> $retcode");
> > www_challenge("", "1");
> > exit;
> > }
> >
> > Then in the log:
> >
> > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: 
> REGISTER sip:1...@vidtel.com 
> > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not 
> authorized - challenging, error: 4294967293
> > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: 
> REGISTER sip:1...@vidtel.com 
> > Apr  2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: 
> REGISTER sip:1...@vidtel.com 
> > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: 
> REGISTER sip:1...@vidtel.com 
> > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not 
> authorized - challenging, error: 4294967292
> > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: 
> REGISTER sip:1...@vidtel.com 
> > Apr  2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: 
> REGISTER sip:1...@vidtel.com 
> > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: 
> REGISTER sip:1...@vidtel.com 
> > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not 
> authorized - challenging, error: 4294967292
> > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: 
> REGISTER sip:1...@vidtel.com 
> >
> > Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN.
> >
> > -dg
> >
> >
> > On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp  > wrote:
> >>
> >> I'm having some trouble with nonce expiring I believe.  The problem 
> is that every other one of my endpoint registrations is doing an auth 
> challenge w/401.
> >>
> >> From my config:
> >> modparam("registrar", "default_expires", 60)
> >> modparam("registrar", "min_expires", 60)
> >> modparam("registrar", "max_expires", 60
> >>
> >> modparam("auth", "nonce_expire", 3600)
> >>
> >> From this I would expect the devices to try to register every 60 
> seconds, and get challenged every hour with a new nonce.
> >>
> >> Comments on why OpenSIPS is challenging every other registration?
> >>
> >> Thanks
> >>
> >> -dg
> >
>
> 
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Nonce expire

2010-04-02 Thread Daniel Goepp

Or just bad math on my part, I turned up logging, and found:

Apr  2 15:15:58 ip-10-160-23-47 /usr/local/sbin/opensips[30579]:
DBG:auth:pre_auth: credentials with given realm not found

So it would appear this is not in fact a nonce expire issue, but a
credentials disappearing issue.  Not sure why those credentials are
disappearing so consistently every other register.

-dg


On Fri, Apr 2, 2010 at 2:06 PM, Daniel Goepp  wrote:

> Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those are
> really just -4 first, no credentials, then -3 stale nonce
>
> -dg
>
>
>
> On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp  wrote:
> >
> > A quick follow up on this, I enabled some logging, but the retcode is not
> making any sense to me (probably because I'm using it wrong).
> >
> > From my config:
> >
> > xlog ("REGISTER $fu");
> > # authenticate the REGISTER requests (uncomment to enable
> auth)
> > if (!www_authorize("", "subscriber"))
> > {
> > xlog ("Not authorized - challenging, error:
> $retcode");
> > www_challenge("", "1");
> > exit;
> > }
> >
> > Then in the log:
> >
> > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
> sip:1...@vidtel.com 
> > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
> authorized - challenging, error: 4294967293
> > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
> sip:1...@vidtel.com 
> > Apr  2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
> sip:1...@vidtel.com 
> > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
> sip:1...@vidtel.com 
> > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
> authorized - challenging, error: 4294967292
> > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
> sip:1...@vidtel.com 
> > Apr  2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
> sip:1...@vidtel.com 
> > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
> sip:1...@vidtel.com 
> > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
> authorized - challenging, error: 4294967292
> > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
> sip:1...@vidtel.com 
> >
> > Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN.
> >
> > -dg
> >
> >
> > On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp  wrote:
> >>
> >> I'm having some trouble with nonce expiring I believe.  The problem is
> that every other one of my endpoint registrations is doing an auth challenge
> w/401.
> >>
> >> From my config:
> >> modparam("registrar", "default_expires", 60)
> >> modparam("registrar", "min_expires", 60)
> >> modparam("registrar", "max_expires", 60
> >>
> >> modparam("auth", "nonce_expire", 3600)
> >>
> >> From this I would expect the devices to try to register every 60
> seconds, and get challenged every hour with a new nonce.
> >>
> >> Comments on why OpenSIPS is challenging every other registration?
> >>
> >> Thanks
> >>
> >> -dg
> >
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Nonce expire

2010-04-02 Thread Daniel Goepp

Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those are
really just -4 first, no credentials, then -3 stale nonce

-dg


On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp  wrote:
>
> A quick follow up on this, I enabled some logging, but the retcode is not
making any sense to me (probably because I'm using it wrong).
>
> From my config:
>
> xlog ("REGISTER $fu");
> # authenticate the REGISTER requests (uncomment to enable
auth)
> if (!www_authorize("", "subscriber"))
> {
> xlog ("Not authorized - challenging, error:
$retcode");
> www_challenge("", "1");
> exit;
> }
>
> Then in the log:
>
> Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com 
> Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967293
> Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com 
> Apr  2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com 
> Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com 
> Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
authorized - challenging, error: 4294967292
> Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com 
> Apr  2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com 
> Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com 
> Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967292
> Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com 
>
> Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN.
>
> -dg
>
>
> On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp  wrote:
>>
>> I'm having some trouble with nonce expiring I believe.  The problem is
that every other one of my endpoint registrations is doing an auth challenge
w/401.
>>
>> From my config:
>> modparam("registrar", "default_expires", 60)
>> modparam("registrar", "min_expires", 60)
>> modparam("registrar", "max_expires", 60
>>
>> modparam("auth", "nonce_expire", 3600)
>>
>> From this I would expect the devices to try to register every 60 seconds,
and get challenged every hour with a new nonce.
>>
>> Comments on why OpenSIPS is challenging every other registration?
>>
>> Thanks
>>
>> -dg
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Nonce expire

2010-04-02 Thread Daniel Goepp

A quick follow up on this, I enabled some logging, but the retcode is not
making any sense to me (probably because I'm using it wrong).

>From my config:

xlog ("REGISTER $fu");
# authenticate the REGISTER requests (uncomment to enable
auth)
if (!www_authorize("", "subscriber"))
{
xlog ("Not authorized - challenging, error:
$retcode");
www_challenge("", "1");
exit;
}

Then in the log:

Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com 
Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967293
Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com 
Apr  2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com 
Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com 
Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
authorized - challenging, error: 4294967292
Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com 
Apr  2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com 
Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: REGISTER
sip:1...@vidtel.com 
Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
authorized - challenging, error: 4294967292
Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: REGISTER
sip:1...@vidtel.com 

Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in SVN.

-dg


On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp  wrote:

> I'm having some trouble with nonce expiring I believe.  The problem is that
> every other one of my endpoint registrations is doing an auth challenge
> w/401.
>
> From my config:
> modparam("registrar", "default_expires", 60)
> modparam("registrar", "min_expires", 60)
> modparam("registrar", "max_expires", 60
>
> modparam("auth", "nonce_expire", 3600)
>
> From this I would expect the devices to try to register every 60 seconds,
> and get challenged every hour with a new nonce.
>
> Comments on why OpenSIPS is challenging every other registration?
>
> Thanks
>
> -dg
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Nonce expire

Re: [OpenSIPS-Users] Nonce expire

Re: [OpenSIPS-Users] Nonce expire

Re: [OpenSIPS-Users] Nonce expire

Re: [OpenSIPS-Users] Nonce expire

Re: [OpenSIPS-Users] Nonce expire

6 matches

Site Navigation

Mail list logo

Footer information