[OpenSIPS-Users] OpenSIPS CP 9.3.2 password mode ha1_sha256 for adding new user

Bogdan-Andrei Iancu bogdan at opensips.org
Thu Sep 15 09:28:34 UTC 2022 

Hi,

Some more info on this: the challenge function allows you to specify a 
list of algorithms, not only one, so you can try "MD5,SHA-256" -> this 
will allow the client to pick the one it supports.

But in order to have this multi-algs working, be sure you do NOT set the 
"password_column" modparam (as the module will auto-detect witch column 
to use, depending on the alg). Just keep the calculate_ha1 to 0.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

On 9/15/22 10:56 AM, jacky z wrote:
> Correction on my comments. It is a client side issue. Thank you!
>
> On Thu, Sep 15, 2022 at 3:40 PM jacky z <zjack0992 at gmail.com 
> <mailto:zjack0992 at gmail.com>> wrote:
>
>     After checking the log in the client side, here are some
>     interesting findings:
>
>     Here is the what the client side received:
>
>     WWW-Authenticate: Digest realm="sip.domain.com
>     <http://sip.domain.com>",
>     nonce="3mKlesEwotxnM5nLMMLgQA63E6VTKsTFpEkK7OkoE4QA",
>     qop="auth,auth-int", algorithm=SHA-256
>
>     Then the client side logs show:
>
>     15:25:51.858       ...Unsupported digest algorithm "SHA-256"
>     15:25:51.859      ....SIP registration error: Invalid/unsupported
>     digest algorithm
>
>     Firstly, if the server side did not include SHA-256 in the SIP
>     message, there would be no such issue. I don't understand why it
>     needs to inform the client side "SHA-256". Secondly, if the client
>     side just simply ignored "SHA-256", there would be no such issue.
>     However, the client side treated it as not supported.
>
>     On Thu, Sep 15, 2022 at 3:16 PM jacky z <zjack0992 at gmail.com
>     <mailto:zjack0992 at gmail.com>> wrote:
>
>         Hi Bogdan-Andrei,
>
>         I tried either specifying it or not. Neither worked. Here is
>         the script when I tried:
>
>         www_challenge("","auth,auth-int","SHA-256");
>
>         I also tried specifying the realm in the above code. When the
>         above is used, there is no such error, but always returns 401.
>         I checked the column ha1_sha256 and the hash of the password
>         is correct.
>
>         Thanks!
>
>         On Thu, Sep 15, 2022 at 2:07 PM Bogdan-Andrei Iancu
>         <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
>             Hi,
>
>             In your opensips.cfg, when doing auth challenge to the end
>             points, do you specify the SHA256 alg?
>
>             https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge
>             <https://opensips.org/html/docs/modules/3.2.x/auth.html#func_www_challenge>
>
>             Regards,
>
>             Bogdan-Andrei Iancu
>
>             OpenSIPS Founder and Developer
>                https://www.opensips-solutions.com  <https://www.opensips-solutions.com>
>             OpenSIPS Summit 27-30 Sept 2022, Athens
>                https://www.opensips.org/events/Summit-2022Athens/  <https://www.opensips.org/events/Summit-2022Athens/>
>
>             On 9/15/22 7:18 AM, jacky z wrote:
>>             Hi Team,
>>
>>             Does ha1_sha256 work in general opensips config settings?
>>             I have the following in the scripts:
>>
>>             modparam("auth_db", "calculate_ha1", 0)
>>
>>             modparam("auth_db", "password_column", "ha1_sha256")
>>
>>
>>             but got the following error in the log:
>>
>>
>>             /usr/sbin/opensips[28261]: ERROR:auth:auth_calc_HA1:
>>             Incorrect length of pre-hashed credentials for the
>>             algorithm "MD5": 32 expected, 64 provided
>>
>>
>>             It seems though the sha256 was specified, but the server
>>             still calculated MD5 and compared with the database
>>             column ha1_sha256.
>>
>>
>>             On Tue, Aug 9, 2022 at 5:39 PM Bogdan-Andrei Iancu
>>             <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>>
>>                 Hi Bela,
>>
>>                 The OCP does not support ha1_sha256 AFAIK. Consider
>>                 opening a feature request here
>>                 https://github.com/OpenSIPS/opensips-cp/issues
>>                 <https://github.com/OpenSIPS/opensips-cp/issues>
>>
>>                 Regards,
>>
>>                 Bogdan-Andrei Iancu
>>
>>                 OpenSIPS Founder and Developer
>>                    https://www.opensips-solutions.com  <https://www.opensips-solutions.com>
>>                 OpenSIPS Summit 27-30 Sept 2022, Athens
>>                    https://www.opensips.org/events/Summit-2022Athens/  <https://www.opensips.org/events/Summit-2022Athens/>
>>
>>                 On 6/29/22 9:10 AM, Bela H wrote:
>>>
>>>                 Hi all,
>>>
>>>                 Is there any way to add new subscriber from OpenSIPS
>>>                 CP 9.3.2 using password mode ha1_sha256?
>>>
>>>                 The ha1 (MD5(username:realm:password)) works fine
>>>                 but I had no luck with the value generation for the
>>>                 ha1_sha256 field in “subscriber” table.
>>>
>>>                 I have this setting:
>>>
>>>                 modparam("auth_db", "calculate_ha1", 0)
>>>
>>>                 modparam("auth_db", "password_column", "ha1_sha256")
>>>
>>>                 Thanks!
>>>
>>>                 Bela
>>>
>>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220915/8b2142b9/attachment-0001.html>

More information about the Users mailing list