[OpenSIPS-Users] Auth parameter disable_nonce_check not working as expected
Bogdan-Andrei Iancu
bogdan at opensips.org
Thu Jan 11 05:20:48 EST 2018
oh, so it is even worst, like the UA is generating its own nonce - you
now this a violation of the Digest authentication RFC and a huge
security risk for a SIP server - this is why OpenSIPS rejects expired or
unknown nonces. Otherwise someone can attach your service by simply
re-using credentials collected from network level.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
OpenSIPS Summit 2018
http://www.opensips.org/events/Summit-2018Amsterdam
On 01/11/2018 01:59 AM, Robert Dyck wrote:
> I have to accept that I cannot work around the UA's bug. A strange bug that
> only manifests itself after an hour or so. The servers say the nonce is stale
> when in fact the UA presents a nonce of its own invention even changing the
> number of characters in the nonce.
>
> Thank you for your time
> Rob
>
> On Wednesday, January 10, 2018 1:14:22 AM PST Bogdan-Andrei Iancu wrote:
>> Hi Robert,
>>
>> Yes, it is exactly what I understood :). Again, if the nonce is expired
>> (too old - see nonce_expire -
>> http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp185504),
>> there is no way to force its acceptance. OpenSIPS will reject it as
>> stale (even if there is correct auth answer).
>>
>> The disable_nonce_check parameter
>> (http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp5552944)
>> is exclusively for nonce re-usage.
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>> http://www.opensips-solutions.com
>> OpenSIPS Summit 2018
>> http://www.opensips.org/events/Summit-2018Amsterdam
>>
>> On 01/09/2018 05:53 PM, Robert Dyck wrote:
>>> Let me rephrase. The UA receives a 401 message from opensip. The nonce is
>>> reported as stale. The UA attempts again to register using the same nonce
>>> as previously. On and on. I calculated the digest myself and it is
>>> correct for the stale nonce. My thinking is that if opensips ignored the
>>> fact that the nonce has expired then register should succeed.
>>>
>>> On Tuesday, January 9, 2018 6:39:04 AM PST Bogdan-Andrei Iancu wrote:
>>>> Hi Rob,
>>>>
>>>> A "reused" and a "stale" nonce are different things. A reused one means
>>>> that same nonce is to be used for multiple auth attempts. A stale nonce
>>>> means the nonce (used or not) is rejected as it is too old (relative to
>>>> the time when the nonce was generated by the server).
>>>>
>>>> Of course, the stale check is first perform (and mandatory). After that
>>>> (according to disable_nonce_check option) the nonce re-usage is checked.
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>>
>>>> http://www.opensips-solutions.com
>>>>
>>>> OpenSIPS Summit 2018
>>>>
>>>> http://www.opensips.org/events/Summit-2018Amsterdam
>>>>
>>>> On 01/08/2018 08:36 PM, Robert Dyck wrote:
>>>>> Using opensips 2.3.2 compiled from source
>>>>>
>>>>> I have a buggy UA that insists on reusing a stale nonce. I tried to
>>>>> work around it by setting disable_nonce_check. It didn't work for me.
>>>>> Am I misunderstanding the purpose of the parameter or is this an
>>>>> opensips bug?
>>>>>
>>>>> Jan 8 09:46:19 [11380] DBG:core:set_mod_param_regex: found
>>>>> <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]
>>>>>
>>>>> Rob
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
More information about the Users
mailing list