[OpenSIPS-Users] SIP Registration in a Loadbalancing environment
Kevin Mathy
k.mathy at hexanet.fr
Thu Jan 2 16:08:31 CET 2014
An update about my previous mail :
I've tried to change the "disable_nonce_check" value, and set it to "0".
The result is all the same, but there's a difference in the logs.
With *disable_nonce_check* set to *1* :
> Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
> Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03]
> and [52c5766c4e6664d7e26e5799601c34086c63cd66]
> Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:pre_auth: invalid nonce value received
> Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
> Jan 2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:pre_auth: stale nonce value received
> Jan 2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c576918f68aa904540e6467d5a82697ba4b660", stale=true^M '
and with *disable_nonce_check* set to *0* :
> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
> DBG:auth:pre_auth: invalid nonce value received
> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
> DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1, index= 17
> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e", stale=true^M '
> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
> DBG:auth:pre_auth: invalid nonce value received
> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
> DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1, index= 18
> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
> DBG:auth:build_auth_hf: nonce index= 18
> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06", stale=true^M '
It seems that the disable check nonce function doesn't completely disable
the nonce checking, as there's still an inspection whatever is the value
set.
Thanks for your help,
Kevin
*Bien cordialement, Best Regards, **Kevin MATHY* | Ingénieur VoIP
2014/1/2 Kevin Mathy <k.mathy at hexanet.fr>
> Hi List,
>
> I'm trying to make the SIP Registering working for my customers with two
> Opensips 1.9 servers sharing the same DNS name.
>
> Here is a schematic :
>
> /=====> Registrar Server 1
> SIP Phone =====> Access SBC
> \=====> Registrar Server 2
>
>
> I've got the same opensips.cfg on both servers, and here are some
> interesting points of the config :
>
> loadmodule "auth_db.so"
>> # ----- auth_db params -----
>> modparam("auth_db", "calculate_ha1", yes)
>> modparam("auth_db", "use_domain", no)
>> modparam("auth_db", "user_column", "username")
>> modparam("auth_db", "password_column", "password")
>> modparam("auth_db", "password_column_2", "ha1b")
>> modparam("auth_db",
>> "db_url","mysql://****************************************** ")
>> modparam("auth_db", "load_credentials", "$avp(password)=password")
>>
>> # ----------------- module auth ---------------
>> loadmodule "auth.so"
>> # ----- auth params -----
>> modparam("auth","username_spec","$var(username)")
>> modparam("auth","password_spec","$avp(password)")
>> modparam("auth","calculate_ha1",1)
>> *modparam("auth","disable_nonce_check", 1)*
>
>
>
>
>
> if (is_method("REGISTER"))
>> {
>> xlog("L_INFO","$ci -- New REGISTER received from $si with Contact
>> : $ct\n");
>>
>> if (!www_authorize("", "subscriber"))
>> {
>> if ($rc < 0)
>> {
>> switch ($rc)
>> {
>> case -5:
>> xlog("L_INFO","$ci -- REGISTER Failed because of :
>> Generic Error");
>> break;
>> case -4:
>> xlog("L_INFO","$ci -- REGISTER Failed because of : No
>> Credentials");
>> break;
>> case -3:
>> xlog("L_INFO","$ci -- REGISTER Failed because of :
>> Stale nonce");
>> break;
>> case -2:
>> xlog("L_INFO","$ci -- REGISTER Failed because of :
>> Valid User but Wrong Password");
>> break;
>> case -1:
>> xlog("L_INFO","$ci -- REGISTER Failed because of :
>> Invalid User");
>> break;
>> }
>> }
>> www_challenge("", "0");
>> exit;
>> }
>>
>> if (!save("location"))
>> {
>> xlog("L_INFO","$ci -- error with save_location from $au\n");
>> }
>> else
>> {
>> xlog("L_INFO","$ci -- save_location is OK from $au\n");
>> }
>>
>> exit;
>> }
>
>
>
> So, as you can see, I configured the auth module with
> "disable_nonce_check" parameter, because of my "loadbalanced" architecture
> as it's said in the documentation (
> http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075) .
>
> But, when a SIP Phone tries to register, the first Register (without any
> credentials) is sent to the 1st Registrar. It's answered with a 401
> Unauthorized containing a nonce.
> Then, the 2nd Register (with credentials, and the previously given nonce)
> is sent to the 2nd Registrar; but it's still answered with a 401.
>
> Thanks to the return code of www_authorize, I see that it's for the "Stale
> Nonce" reason, even if "disable_nonce_check" is set to 1 ...
>
> Maybe there's a misconfiguration, or a bug; so, I need your help :-)
>
> Thanks a lot,
>
>
>
> *Bien cordialement, Best Regards, **Kevin MATHY* | Ingénieur VoIP
>
>
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20140102/34ddbd9d/attachment.htm>
More information about the Users
mailing list