On Wednesday 12 September 2007, Ben Smithurst wrote: > I wrote: > > We have a problem with clients authorizing (whether for INVITE or > > REGISTER) against a pair of openser servers, served via either round > > robin A records, or multiple equal preference SRV records. > > > > The problem in a nutshell is > > > > client sends INVITE to server 1 > > server 1 replies with authorization challenge > > client sends INVITE with auth to server 2 > > server 2 doesn't like the 'nonce' value > [..] > For the record, and the benefit of anyone searching the archives for a > similar problem, I was being stupid. Sorry to bother you all.... > > I read the code and found a bit more. So, nonce values are not stored > at all as far as I can tell, this was actually my initial thought about > nonce values, I just couldn't work out why it wouldn't work across > multiple servers. > > Turns out the default setup in openser (quite reasonably) is for the > secret string used in generating the nonce to be generated at run time. > If you use multiple servers it seems necessary to explicitly set the > secret the same on all servers > > modparam("auth", "secret", "blah") > > I wonder if it is worth putting a note about this multiple server issue > in the documentation for the 'secret' parameter - might just help people > googling/reading docs to solve the problem. :-)
Hello Ben, i've added a note about this topic to the module documentation. However, the use of a shared (and fixed) secret as nonce is insecure, much better is to stay with the default. Cheers, Henning _______________________________________________ Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users