[OpenSIPS-Users] Nonce expire

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Apr 12 15:13:48 CEST 2010


Hi Daniel,

the nonce checking assumes kind of state and does not correctly work if 
you do not handle properly the retransmissions. For example:

   1) you get INVITE with credentials, you successfully authenticate it 
and you start processing it for forwarding
   2) before sending a reply for the first INVITE, you get a 
retransmission for it -> same credentials, auth fails -> negative reply.

so, you end up with an inconsistency -> you did both reply and forward 
as you differently processed the transmissions due the nonce checking

What you can do is to create the transaction state before the 
authentication (using the t_newtran() ), so that you retransmissions 
will be absorbed by the transaction engine.

Regards,
Bogdan

Daniel Goepp wrote:
> Thanks for the update.  I did notice that parameter, but I don't want 
> to disable it.  I guess for now I will just accept the higher load of 
> authing every register.  I also found that I had a device that was not 
> behaving right either.  I will look into this one further.  Sorry for 
> the flood of emails, I was really banging my head the other day on 
> this one.
>
> -dg
>
>
> On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu 
> <bogdan at voice-system.ro <mailto:bogdan at voice-system.ro>> wrote:
>
>     Hi Daniel,
>
>     it it because the nonce reusage - opensips (by default) uses a
>     nonce for
>     a single authentication, after that it reports it as stale.
>     If you want to disable this behaviour (to enable nonce reusage),
>     see the
>     auth param "disable_nonce_check" :
>        http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317
>
>     Regards,
>     Bogdan
>
>     Daniel Goepp wrote:
>     > Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those
>     > are really just -4 first, no credentials, then -3 stale nonce
>     >
>     > -dg
>     >
>     >
>     > On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp <dan at goepp.net
>     <mailto:dan at goepp.net>
>     > <mailto:dan at goepp.net <mailto:dan at goepp.net>>> wrote:
>     > >
>     > > A quick follow up on this, I enabled some logging, but the retcode
>     > is not making any sense to me (probably because I'm using it wrong).
>     > >
>     > > From my config:
>     > >
>     > >                 xlog ("REGISTER $fu");
>     > >                 # authenticate the REGISTER requests (uncomment to
>     > enable auth)
>     > >                 if (!www_authorize("", "subscriber"))
>     > >                 {
>     > >                         xlog ("Not authorized - challenging,
>     error:
>     > $retcode");
>     > >                         www_challenge("", "1");
>     > >                         exit;
>     > >                 }
>     > >
>     > > Then in the log:
>     > >
>     > > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
>     > REGISTER sip:1001 at vidtel.com <mailto:sip%3A1001 at vidtel.com>
>     <mailto:sip%3A1001 at vidtel.com <mailto:sip%253A1001 at vidtel.com>>
>     > > Apr  2 13:49:38 ip-10-160-23-47
>     /usr/local/sbin/opensips[30180]: Not
>     > authorized - challenging, error: 4294967293
>     > > Apr  2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
>     > REGISTER sip:1001 at vidtel.com <mailto:sip%3A1001 at vidtel.com>
>     <mailto:sip%3A1001 at vidtel.com <mailto:sip%253A1001 at vidtel.com>>
>     > > Apr  2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
>     > REGISTER sip:1001 at vidtel.com <mailto:sip%3A1001 at vidtel.com>
>     <mailto:sip%3A1001 at vidtel.com <mailto:sip%253A1001 at vidtel.com>>
>     > > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
>     > REGISTER sip:1001 at vidtel.com <mailto:sip%3A1001 at vidtel.com>
>     <mailto:sip%3A1001 at vidtel.com <mailto:sip%253A1001 at vidtel.com>>
>     > > Apr  2 13:50:18 ip-10-160-23-47
>     /usr/local/sbin/opensips[30182]: Not
>     > authorized - challenging, error: 4294967292
>     > > Apr  2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
>     > REGISTER sip:1001 at vidtel.com <mailto:sip%3A1001 at vidtel.com>
>     <mailto:sip%3A1001 at vidtel.com <mailto:sip%253A1001 at vidtel.com>>
>     > > Apr  2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
>     > REGISTER sip:1001 at vidtel.com <mailto:sip%3A1001 at vidtel.com>
>     <mailto:sip%3A1001 at vidtel.com <mailto:sip%253A1001 at vidtel.com>>
>     > > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
>     > REGISTER sip:1001 at vidtel.com <mailto:sip%3A1001 at vidtel.com>
>     <mailto:sip%3A1001 at vidtel.com <mailto:sip%253A1001 at vidtel.com>>
>     > > Apr  2 13:50:58 ip-10-160-23-47
>     /usr/local/sbin/opensips[30180]: Not
>     > authorized - challenging, error: 4294967292
>     > > Apr  2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
>     > REGISTER sip:1001 at vidtel.com <mailto:sip%3A1001 at vidtel.com>
>     <mailto:sip%3A1001 at vidtel.com <mailto:sip%253A1001 at vidtel.com>>
>     > >
>     > > Also I'm running 1.6.2-tls compiled today from latest 1_6
>     branch in SVN.
>     > >
>     > > -dg
>     > >
>     > >
>     > > On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp <dan at goepp.net
>     <mailto:dan at goepp.net>
>     > <mailto:dan at goepp.net <mailto:dan at goepp.net>>> wrote:
>     > >>
>     > >> I'm having some trouble with nonce expiring I believe.  The
>     problem
>     > is that every other one of my endpoint registrations is doing an
>     auth
>     > challenge w/401.
>     > >>
>     > >> From my config:
>     > >> modparam("registrar", "default_expires", 60)
>     > >> modparam("registrar", "min_expires", 60)
>     > >> modparam("registrar", "max_expires", 60
>     > >>
>     > >> modparam("auth", "nonce_expire", 3600)
>     > >>
>     > >> From this I would expect the devices to try to register every 60
>     > seconds, and get challenged every hour with a new nonce.
>     > >>
>     > >> Comments on why OpenSIPS is challenging every other registration?
>     > >>
>     > >> Thanks
>     > >>
>     > >> -dg
>     > >
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Users mailing list
>     > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     >
>
>
>     --
>     Bogdan-Andrei Iancu
>     www.voice-system.ro <http://www.voice-system.ro>
>
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro




More information about the Users mailing list