<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div>Hi All,<br><br>Looks like modparam("auth", "disable_nonce_check", 1) has fixed my problem<br><br>Just want to know if I disable nonce check will it affect www_authorize("", "subscriber")<br><br>I have put following in my config<br><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">How can I stop nonce check for REGISTER requests ?<br><br>route[2]<br>{<br> # authorize registration<br> if(!www_authorize("", "subscriber")) {<br> # xlog("L_INFO", "Register authentication failed - M=$rm RURI=$ru F=$fu T=$tu IP=$si
ID=$ci\n");<br> $var(reason) = $retcode;<br> if($var(reason) == -3){<br> xlog("L_INFO", "Register authentication failed (stale nonce)- M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");<br> <span style="font-weight: bold;"># I can see this in syslog</span> ???? Is modparam("auth", "disable_nonce_check", 1) doesn't affect www_authorize("", "subscriber") ??<br><br>
}<br> www_challenge("", "0");<br> exit;<br> }<br><br> # prevent spoofed registration attempts<br> if(!check_to()){ # Changed on 2010-06-15<br># #xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");<br> sl_send_reply("403", "Spoofed To-URI detected");<br>
exit;<br> }<br><br> # remove credentials<br> consume_credentials();<br><br> # perform NAT traversal for subsequent requests<br> if(!search("^Contact:[ ]*\*") && nat_uac_test("19")) {<br> fix_nated_register();<br> setbflag(2); # flag for NAT<br> setbflag(8); # flag for NAT PING using SIP OPTION request Fixed on 31/05/2010<br> }<br><br> # save contact<br> if(!save("location"))
{<br> # xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");<br> sl_reply_error();<br> exit;<br> }<br><br> #xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");<br> exit;<br>}<br><br>thanks<br><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Pasan Meemaduma <pasandev@ymail.com><br><b><span style="font-weight: bold;">To:</span></b> OpenSIPS users mailling list
<users@lists.opensips.org><br><b><span style="font-weight: bold;">Sent:</span></b> Monday, July 12, 2010 16:46:26<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br></font><br><meta http-equiv="x-dns-prefetch-control" content="off"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div>Hi Bogdan,<br><br>Thanks for the quick reply,<br><br>What I now suspect is the security mechanism for stale nonces introduced in later 1.4 causing this. The identical configuration works fine with opensips 1.4<br><br>This problem started to appear after I upgrade server from openser to opensips about a month ago. <br><br>Loosing registration is the most worst problem since its affecting incoming calls.<br><br>For the moment what I did was add the following in my opensips.cfg after going through the mailing list archives.<br><br><br></div><div style="font-family:
times new roman,new york,times,serif; font-size: 12pt;">modparam("auth", "disable_nonce_check", 1)<br><br>As I understood opensips reject nonce which is used before even if it send with correct credentials. This could be the problem
that Re-INVITEs get 407 .<br><br>I can't do much changes to observe more debuging information like setting set debug =6 as this is a production server.<br><br>I'm going to apply the new setting modparam("auth", "disable_nonce_check", 1) tomorrow on our offpeak time and see whether it will resolve the problem.<br><br>I'll get back to here tomorrow with the results.<br><br><br><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Bogdan-Andrei Iancu <bogdan@voice-system.ro><br><b><span style="font-weight: bold;">To:</span></b> OpenSIPS users mailling list <users@lists.opensips.org><br><b><span style="font-weight: bold;">Sent:</span></b> Monday, July 12, 2010 15:46:18<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br></font><br>Hi Pasan,<br><br>first,
for non-REGISTER requests use only the proxy_XXXX() functions.<br><br>For debugging the failure, try:<br><br>1) print the return code of the proxy_authorize() (use $retcode) - see <br><a rel="nofollow" target="_blank" href="http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340">http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340</a><br><br>2) set debug =6 and post the log corresponding to the INVITE processing .<br><br>Regards,<br>Bogdan<br><br>Pasan Meemaduma wrote:<br>> Hi All,<br>><br>> I'm having trouble with my authentication routine with opensips 1.5<br>><br>> I'm currently using opensips 1.5.3-1<br>><br>> And there are lot of voip equipments using this production server.<br>><br>> problem is that sometimes for some sip clients <br>> proxy_authorize("","subscriber") returns false even with correct <br>> credentials.<br>><br>> basically most of the times this happens to
Re-INVITEs in a
dialogue <br>> (messages with Proxy-Authorization Header).<br>><br>> This is causing in progress calls being failed. sip client gives up <br>> when it changes again.<br>><br>> And another problem is with www_authorize("", "subscriber")<br>><br>> It has the same problem returns false even with correct credentials. <br>> and this happens randomly so , its hard to figure out why .<br>><br>> does any one else having problem with simillar issues with using these <br>> routines ?<br>><br>> Is it a bug in these routines ?<br>><br>> Is there a new release for 1.5 branch which has fixed this sort of a <br>> problem.<br>><br>> any help on this would be very appreciated.<br>><br>> currently server has more than 8000 entries in location table at any <br>> given time and handles more than 3000 calls per day.<br>><br>> following is one such sip trace that i got from a call<br>><br>><br>>
Even the re- INVITE has correct Proxy-Authorization header present <br>> opensips change it again.<br>><br>> U 2010/06/24 16:03:40.466974 y.y.y.y:5060 -> x.x.x.x:5060<br>> INVITE sip:<a rel="nofollow" ymailto="mailto:1234567890@x.x.x.x" target="_blank" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> SIP/2.0.<br>> To: <sip:<a rel="nofollow" ymailto="mailto:1234567890@x.x.x.x" target="_blank" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>.<br>> From: "abcdefgh" <sip:<a rel="nofollow" ymailto="mailto:abcdefgh@x.x.x.x" target="_blank" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>>;tag=252070.<br>> Call-ID: 444603gj@192.168.1.20.<br>> CSeq: 5 INVITE.<br>> Via: SIP/2.0/UDP 192.168.1.20:5060;branch=z9hG4bK155910d13;rport.<br>> Allow: ACK,BYE,CANCEL,INVITE,INFO,NOTIFY,OPTIONS,PRACK,REFER,UPDATE.<br>> Contact: <sip:abcdefgh@192.168.1.20:5060>.<br>> Supported:
replaces,precondition.<br>> Accept: application/sdp,application/cpim-pidf+xml.<br>> Expires:
240.<br>> User-Agent: BiPAC 7404VGPX 5.53.s6.b1.<br>> Accept-Language: en.<br>> Content-Type: application/sdp.<br>> Content-Length: 306.<br>> Content-Language: en.<br>> Content-Disposition: session.<br>> Max-Forwards: 70.<br>> Proxy-Authorization: Digest <br>> username="abcdefgh",realm="x.x.x.x",nonce="4c22f542000042ba42dd84f4cd197a73f815b9c34124752c",uri="sip:<a rel="nofollow" ymailto="mailto:1234567890@x.x.x.x" target="_blank" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>",response="32f7b1dfebfa87b20d1efe0e47019b81".<br>> .<br>> v=0.<br>> o=abcdefgh 862 862 IN IP4 192.168.1.20.<br>> s=-.<br>> c=IN IP4 192.168.1.20.<br>> t=0 0.<br>> m=audio 5100 RTP/AVP 18 0 8 101.<br>> a=rtpmap:18 G729/8000.<br>> a=rtpmap:0 PCMU/8000.<br>> a=rtpmap:8 PCMA/8000.<br>> a=rtpmap:101 telephone-event/8000.<br>> a=fmtp:101 0-15,66,70.<br>> a=curr:qos e2e send.<br>> a=des:qos optional e2e
sendrecv.<br>>
a=sendrecv.<br>><br>><br>> U 2010/06/24 16:03:40.468557 x.x.x.x:5060 -> y.y.y.y:5060<br>> SIP/2.0 407 Proxy Authentication Required.<br>> To: <sip:<a rel="nofollow" ymailto="mailto:1234567890@x.x.x.x" target="_blank" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>;tag=a1270bde159848b15079f3c250cc0b75.56af.<br>> From: "abcdefgh" <sip:<a rel="nofollow" ymailto="mailto:abcdefgh@x.x.x.x" target="_blank" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>>;tag=252070.<br>> Call-ID: 444603gj@192.168.1.20.<br>> CSeq: 5 INVITE.<br>> Via: SIP/2.0/UDP <br>> 192.168.1.20:5060;branch=z9hG4bK155910d13;rport=5060;received=y.y.y.y.<br>> Proxy-Authenticate: Digest realm="x.x.x.x", <br>> nonce="4c22f55a00004fac9c389333991faa357d4dda38f4b9159f".<br>> Server: Voip.<br>> Content-Length: 0.<br>><br>><br>><br>><br>>
------------------------------------------------------------------------<br>><br>>
_______________________________________________<br>> Users mailing list<br>> <a rel="nofollow" ymailto="mailto:Users@lists.opensips.org" target="_blank" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>> <a rel="nofollow" target="_blank" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>> <br><br><br>-- <br>Bogdan-Andrei Iancu<br>OpenSIPS Bootcamp<br>20 - 24 September 2010, Frankfurt, Germany<br>www.voice-system.ro<br><br><br>_______________________________________________<br>Users mailing list<br><a rel="nofollow" ymailto="mailto:Users@lists.opensips.org" target="_blank" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br><a rel="nofollow" target="_blank" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br></div></div>
</div><br><meta http-equiv="x-dns-prefetch-control" content="on"></div></div>
</div><br></body></html>