[OpenSIPS-Users] SIP Registration in a Loadbalancing environment

Kevin Mathy k.mathy at hexanet.fr
Thu Jan 2 16:08:31 CET 2014


An update about my previous mail :

I've tried to change the "disable_nonce_check" value, and set it to "0".
The result is all the same, but there's a difference in the logs.

With *disable_nonce_check* set to *1* :

> Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
> Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03]
> and [52c5766c4e6664d7e26e5799601c34086c63cd66]
> Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:pre_auth: invalid nonce value received
> Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
> Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:pre_auth: stale nonce value received
> Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c576918f68aa904540e6467d5a82697ba4b660", stale=true^M '



and with *disable_nonce_check* set to *0* :

> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
> DBG:auth:pre_auth: invalid nonce value received
> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
> DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 17
> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e", stale=true^M '
> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
> DBG:auth:pre_auth: invalid nonce value received
> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
> DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 18
> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
> DBG:auth:build_auth_hf: nonce index= 18
> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
> nonce="52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06", stale=true^M '



It seems that the disable check nonce function doesn't completely disable
the nonce checking, as there's still an inspection whatever is the value
set.

Thanks for your help,

Kevin



*Bien cordialement, Best Regards,  **Kevin MATHY* | Ingénieur VoIP



2014/1/2 Kevin Mathy <k.mathy at hexanet.fr>

> Hi List,
>
> I'm trying to make the SIP Registering working for my customers with two
> Opensips 1.9 servers sharing the same DNS name.
>
> Here is a schematic :
>
>                                               /=====> Registrar Server 1
> SIP Phone =====> Access SBC
>                                               \=====> Registrar Server 2
>
>
> I've got the same opensips.cfg on both servers, and here are some
> interesting points of the config :
>
> loadmodule "auth_db.so"
>> # ----- auth_db params -----
>> modparam("auth_db", "calculate_ha1", yes)
>> modparam("auth_db", "use_domain", no)
>> modparam("auth_db", "user_column", "username")
>> modparam("auth_db", "password_column", "password")
>> modparam("auth_db", "password_column_2", "ha1b")
>> modparam("auth_db",
>> "db_url","mysql://****************************************** ")
>> modparam("auth_db", "load_credentials", "$avp(password)=password")
>>
>> # ----------------- module auth ---------------
>> loadmodule "auth.so"
>> # ----- auth params -----
>> modparam("auth","username_spec","$var(username)")
>> modparam("auth","password_spec","$avp(password)")
>> modparam("auth","calculate_ha1",1)
>> *modparam("auth","disable_nonce_check", 1)*
>
>
>
>
>
>  if (is_method("REGISTER"))
>>     {
>>         xlog("L_INFO","$ci -- New REGISTER received from $si with Contact
>> : $ct\n");
>>
>>         if (!www_authorize("", "subscriber"))
>>         {
>>             if ($rc < 0)
>>             {
>>                 switch ($rc)
>>                 {
>>                     case -5:
>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>> Generic Error");
>>                     break;
>>                     case -4:
>>                     xlog("L_INFO","$ci -- REGISTER Failed because of : No
>> Credentials");
>>                     break;
>>                     case -3:
>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>> Stale nonce");
>>                     break;
>>                     case -2:
>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>> Valid User but Wrong Password");
>>                     break;
>>                     case -1:
>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>> Invalid User");
>>                     break;
>>                 }
>>             }
>>             www_challenge("", "0");
>>             exit;
>>         }
>>
>>         if (!save("location"))
>>         {
>>             xlog("L_INFO","$ci -- error with save_location from $au\n");
>>         }
>>         else
>>         {
>>             xlog("L_INFO","$ci -- save_location is OK from $au\n");
>>         }
>>
>>         exit;
>>     }
>
>
>
> So, as you can see, I configured the auth module with
> "disable_nonce_check" parameter, because of my "loadbalanced" architecture
> as it's said in the documentation (
> http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075) .
>
> But, when a SIP Phone tries to register, the first Register (without any
> credentials) is sent to the 1st Registrar. It's answered with a 401
> Unauthorized containing a nonce.
> Then, the 2nd Register (with credentials, and the previously given nonce)
> is sent to the 2nd Registrar; but it's still answered with a 401.
>
> Thanks to the return code of www_authorize, I see that it's for the "Stale
> Nonce" reason, even if "disable_nonce_check" is set to 1 ...
>
> Maybe there's a misconfiguration, or a bug; so, I need your help :-)
>
> Thanks a lot,
>
>
>
> *Bien cordialement, Best Regards,  **Kevin MATHY* | Ingénieur VoIP
>
>

-- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20140102/34ddbd9d/attachment.htm>


More information about the Users mailing list