[OpenSIPS-Users] Registrations, Retransmissions and Nonces
Bradley Falzon
brad at teambrad.net
Fri Oct 29 07:06:59 CEST 2010
Hi,
I have been debugging an issue with a particularly intermittent fault
and wanted to get some clarification.
Just like the subject says, it's a story about a Stateless Registrar,
a UAC Retransmitting a Registration, and a Nonce policy.
Basically:
1. Client (UAC) sends Register to Server (UAS)
2. UAS Responds with 401 Unauthorised, but includes a
WWW-Authentication header with Realm and Nonce
3. Using the Realm, Nonce and user supplied Username and Password a
Response is generated and sent to the UAS
4. UAS checks the response and:
4.1 It’ll check the Nonce – and yes it is valid
4.2 It’ll query its database <- let’s presume this takes a second or two
5. UAC then retransmits the packet from step 3
6. UAS finally gets results from the database
6.1 Invalidates the Nonce (can’t be used again)
6.2 Responds with 200 OK
7. UAS receives the Retransmitted Register
7.1 It’ll check the Nonce – it is NOT valid
7.2 Respond with 401 Unauthorised.
An example of this created with Net::SIP to reproduce the error is
available: http://blog.teambrad.net/wp-content/uploads/2010/10/opensips-registration-nonce-retransmission-example.txt
This issue had been discussed before on this list, I don't have the
exact conversation, however, the advise seemed to be "make the proxy
stateful".
Looking at this flow looks relatively normal, step 6.2 results in a
200 OK, but Step 5 was a retransmission. Because the Nonce was
invalidated, the retransmitted packet now has an invalid nonce (7.1)
and this results in a 401 Unauthorised, with a new nonce (7.2). But
the packet in 7.2 does not contain the parameters 'stale="true"' -
causing the UAC to assume that the credentials are wrong and it won't
re-authenticate.
How can I ensure OpenSIPS (oh, I'm using 1.5.3 btw), sets the
stale="true" flag ?
I am quite new to OpenSIPS in production, so it could very well be my
configuration.
--- Some relevant snippets of code: ---
loadmodule "registrar.so"
modparam("registrar", "default_expires", 3600)
modparam("registrar", "min_expires", 60)
modparam("registrar", "max_expires", 0)
modparam("registrar", "path_mode", 1)
modparam("registrar", "received_avp", "$avp(i:801)")
modparam("registrar","sock_flag",18)
modparam("registrar", "sock_hdr_name", "Local-Sock")
modparam("registrar", "use_path", 1)
loadmodule "db_mysql.so"
modparam("db_mysql", "ping_interval", 300)
loadmodule "auth.so"
modparam("auth", "nonce_expire", 300)
modparam("auth", "rpid_suffix", ";party=calling;id-type=subscriber;screen=yes")
modparam("auth", "rpid_avp", "$avp(s:rpid)")
loadmodule "auth_db.so"
modparam("auth_db", "db_url", "mysql://user:pass@db/opensips")
modparam("auth_db", "user_column", "username")
modparam("auth_db", "domain_column", "domain")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "password_column_2", "ha1b")
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "use_domain", 0)
modparam("auth_db", "load_credentials", "$avp(s:caller_uuid)=uuid")
---
if(is_method("REGISTER"))
{
route(11);
}
---
route[11]
{
if(!search("^Contact:[ ]*\*") && nat_uac_test("19"))
{
fix_nated_register();
setbflag(6);
}
if(!www_authorize("", "subscriber"))
{
#xlog("L_INFO", "Register authentication failed -
M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
www_challenge("", "0");
exit;
}
if(!check_to())
{
xlog("L_INFO", "Spoofed To-URI detected - M=$rm
RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
sl_send_reply("403", "Spoofed To-URI Detected");
exit;
}
consume_credentials();
if(!save("location"))
{
xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru
F=$fu T=$tu IP=$si ID=$ci\n");
sl_reply_error();
exit;
}
exit;
}
--
Bradley Falzon
brad at teambrad.net
More information about the Users
mailing list