[OpenSIPS-Users] SIP Registration in a Loadbalancing environment

Muhammad Shahzad shaheryarkh at gmail.com
Thu Jan 2 17:01:29 CET 2014


Theoretically i agree that disable_nonce_check should take care of stale
nonce problem, but in practice (using opensips 1.8.x), i observed that
reducing nonce_expire actually works. So set nonce_expire to about 5
seconds and try again.

Also make sure to,

1. use same db backend for both opensips servers.
2. use reasonable DNS expiry, e.g. at least 300 seconds. I recommend
enforcing registration expiry just under DNS expiry (typically DNS expiry -
5 seconds), so user re-registers with same server it started up with.

Whether it works or not, you should open a ticket in bug tracker so this
behavior is corrected.

Thank  you.




On Thu, Jan 2, 2014 at 4:08 PM, Kevin Mathy <k.mathy at hexanet.fr> wrote:

> An update about my previous mail :
>
> I've tried to change the "disable_nonce_check" value, and set it to "0".
> The result is all the same, but there's a difference in the logs.
>
> With *disable_nonce_check* set to *1* :
>
>> Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]:
>> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
>> nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
>> Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
>> DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03]
>> and [52c5766c4e6664d7e26e5799601c34086c63cd66]
>> Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
>> DBG:auth:pre_auth: invalid nonce value received
>> Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]:
>> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
>> nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
>> Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]:
>> DBG:auth:pre_auth: stale nonce value received
>> Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]:
>> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
>> nonce="52c576918f68aa904540e6467d5a82697ba4b660", stale=true^M '
>
>
>
> and with *disable_nonce_check* set to *0* :
>
>> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
>> DBG:auth:pre_auth: invalid nonce value received
>> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
>> DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 17
>> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]:
>> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
>> nonce="52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e", stale=true^M '
>> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
>> DBG:auth:pre_auth: invalid nonce value received
>> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
>> DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 18
>> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
>> DBG:auth:build_auth_hf: nonce index= 18
>> Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]:
>> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT",
>> nonce="52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06", stale=true^M '
>
>
>
> It seems that the disable check nonce function doesn't completely disable
> the nonce checking, as there's still an inspection whatever is the value
> set.
>
> Thanks for your help,
>
> Kevin
>
>
>
> *Bien cordialement,  Best Regards,  **Kevin MATHY* | Ingénieur VoIP
>
>
>
> 2014/1/2 Kevin Mathy <k.mathy at hexanet.fr>
>
>> Hi List,
>>
>> I'm trying to make the SIP Registering working for my customers with two
>> Opensips 1.9 servers sharing the same DNS name.
>>
>> Here is a schematic :
>>
>>                                               /=====> Registrar Server 1
>> SIP Phone =====> Access SBC
>>                                               \=====> Registrar Server 2
>>
>>
>> I've got the same opensips.cfg on both servers, and here are some
>> interesting points of the config :
>>
>> loadmodule "auth_db.so"
>>> # ----- auth_db params -----
>>> modparam("auth_db", "calculate_ha1", yes)
>>> modparam("auth_db", "use_domain", no)
>>> modparam("auth_db", "user_column", "username")
>>> modparam("auth_db", "password_column", "password")
>>> modparam("auth_db", "password_column_2", "ha1b")
>>> modparam("auth_db",
>>> "db_url","mysql://****************************************** ")
>>> modparam("auth_db", "load_credentials", "$avp(password)=password")
>>>
>>> # ----------------- module auth ---------------
>>> loadmodule "auth.so"
>>> # ----- auth params -----
>>> modparam("auth","username_spec","$var(username)")
>>> modparam("auth","password_spec","$avp(password)")
>>> modparam("auth","calculate_ha1",1)
>>> *modparam("auth","disable_nonce_check", 1)*
>>
>>
>>
>>
>>
>>  if (is_method("REGISTER"))
>>>     {
>>>         xlog("L_INFO","$ci -- New REGISTER received from $si with
>>> Contact : $ct\n");
>>>
>>>         if (!www_authorize("", "subscriber"))
>>>         {
>>>             if ($rc < 0)
>>>             {
>>>                 switch ($rc)
>>>                 {
>>>                     case -5:
>>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>>> Generic Error");
>>>                     break;
>>>                     case -4:
>>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>>> No Credentials");
>>>                     break;
>>>                     case -3:
>>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>>> Stale nonce");
>>>                     break;
>>>                     case -2:
>>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>>> Valid User but Wrong Password");
>>>                     break;
>>>                     case -1:
>>>                     xlog("L_INFO","$ci -- REGISTER Failed because of :
>>> Invalid User");
>>>                     break;
>>>                 }
>>>             }
>>>             www_challenge("", "0");
>>>             exit;
>>>         }
>>>
>>>         if (!save("location"))
>>>         {
>>>             xlog("L_INFO","$ci -- error with save_location from $au\n");
>>>         }
>>>         else
>>>         {
>>>             xlog("L_INFO","$ci -- save_location is OK from $au\n");
>>>         }
>>>
>>>         exit;
>>>     }
>>
>>
>>
>> So, as you can see, I configured the auth module with
>> "disable_nonce_check" parameter, because of my "loadbalanced" architecture
>> as it's said in the documentation (
>> http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075) .
>>
>> But, when a SIP Phone tries to register, the first Register (without any
>> credentials) is sent to the 1st Registrar. It's answered with a 401
>> Unauthorized containing a nonce.
>> Then, the 2nd Register (with credentials, and the previously given nonce)
>> is sent to the 2nd Registrar; but it's still answered with a 401.
>>
>> Thanks to the return code of www_authorize, I see that it's for the
>> "Stale Nonce" reason, even if "disable_nonce_check" is set to 1 ...
>>
>> Maybe there's a misconfiguration, or a bug; so, I need your help :-)
>>
>> Thanks a lot,
>>
>>
>>
>> *Bien cordialement, Best Regards,  **Kevin MATHY* | Ingénieur VoIP
>>
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>


-- 
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20140102/961dfd12/attachment-0001.htm>


More information about the Users mailing list