[OpenSIPS-Users] Auth parameter disable_nonce_check not working as expected

Thu Jan 11 13:33:05 EST 2018

Agreed.
Initially I thought it was a stale nonce. I captured the messages at the 
moment it went from working to not working and compared the nonces.
The developers of Linphone have not responded to a bug report.

Rob

On Thursday, January 11, 2018 2:20:48 AM PST Bogdan-Andrei Iancu wrote:
> oh, so it is even worst, like the UA is generating its own nonce - you
> now this a violation of the Digest authentication RFC and a huge
> security risk for a SIP server - this is why OpenSIPS rejects expired or
> unknown nonces. Otherwise someone can attach your service by simply
> re-using credentials collected from network level.
> 
> Regards,
> 
> Bogdan-Andrei Iancu
> 
> OpenSIPS Founder and Developer
>    http://www.opensips-solutions.com
> OpenSIPS Summit 2018
>    http://www.opensips.org/events/Summit-2018Amsterdam
> 
> On 01/11/2018 01:59 AM, Robert Dyck wrote:
> > I have to accept that I cannot work around the UA's bug. A strange bug
> > that
> > only manifests itself after an hour or so. The servers say the nonce is
> > stale when in fact the UA presents a nonce of its own invention even
> > changing the number of characters in the nonce.
> > 
> > Thank you for your time
> > Rob
> > 
> > On Wednesday, January 10, 2018 1:14:22 AM PST Bogdan-Andrei Iancu wrote:
> >> Hi Robert,
> >> 
> >> Yes, it is exactly what I understood :). Again, if the nonce is expired
> >> (too old - see nonce_expire -
> >> http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp185504),
> >> there is no way to force its acceptance. OpenSIPS will reject it as
> >> stale (even if there is correct auth answer).
> >> 
> >> The disable_nonce_check parameter
> >> (http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp5552944)
> >> is exclusively for nonce re-usage.
> >> 
> >> Regards,
> >> 
> >> Bogdan-Andrei Iancu
> >> 
> >> OpenSIPS Founder and Developer
> >> 
> >>     http://www.opensips-solutions.com
> >> 
> >> OpenSIPS Summit 2018
> >> 
> >>     http://www.opensips.org/events/Summit-2018Amsterdam
> >> 
> >> On 01/09/2018 05:53 PM, Robert Dyck wrote:
> >>> Let me rephrase. The UA receives a 401 message from opensip. The nonce
> >>> is
> >>> reported as stale. The UA attempts again to register using the same
> >>> nonce
> >>> as previously. On and on. I calculated the digest myself and it is
> >>> correct for the stale nonce. My thinking is that if opensips ignored the
> >>> fact that the nonce has expired then register should succeed.
> >>> 
> >>> On Tuesday, January 9, 2018 6:39:04 AM PST Bogdan-Andrei Iancu wrote:
> >>>> Hi Rob,
> >>>> 
> >>>> A "reused" and a "stale" nonce are different things. A reused one means
> >>>> that same nonce is to be used for multiple auth attempts. A stale nonce
> >>>> means the nonce (used or not) is rejected as it is too old (relative to
> >>>> the time when the nonce was generated by the server).
> >>>> 
> >>>> Of course, the stale check is first perform (and mandatory). After that
> >>>> (according to disable_nonce_check option) the nonce re-usage is
> >>>> checked.
> >>>> 
> >>>> Regards,
> >>>> 
> >>>> Bogdan-Andrei Iancu
> >>>> 
> >>>> OpenSIPS Founder and Developer
> >>>> 
> >>>>      http://www.opensips-solutions.com
> >>>> 
> >>>> OpenSIPS Summit 2018
> >>>> 
> >>>>      http://www.opensips.org/events/Summit-2018Amsterdam
> >>>> 
> >>>> On 01/08/2018 08:36 PM, Robert Dyck wrote:
> >>>>> Using opensips 2.3.2 compiled from source
> >>>>> 
> >>>>> I have a buggy UA that insists on reusing a stale nonce. I tried to
> >>>>> work around it by setting disable_nonce_check. It didn't work for me.
> >>>>> Am I misunderstanding the purpose of the parameter or is this an
> >>>>> opensips bug?
> >>>>> 
> >>>>> Jan  8 09:46:19 [11380] DBG:core:set_mod_param_regex: found
> >>>>> <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]
> >>>>> 
> >>>>> Rob
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> _______________________________________________
> >>>>> Users mailing list
> >>>>> Users at lists.opensips.org
> >>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users