<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div>Hi Bogdan,<br><br>My authentication route is as follow,<br><br> if (!allow_trusted()) {<br> if (!proxy_authorize("","subscriber")) {<br> if(!lookup("location") ){<br> proxy_challenge("","0");<br> exit;<br> }<br> } else if (!check_from()) {<br> sl_send_reply("403", "Spoofed From-URI
detected");<br> xlog("L_INFO","Spoofed From-URI detected ! from --> $fu -- IP $si PORT:$sp");<br> exit;<br> }<br> if(is_present_hf("Proxy-Authorization")){<br> consume_credentials();<br> }<br> }<br><br>This route is before the dispatch route (t_relay())<br>I think retransmitted INVITEs get block by this route so If I use the <span style="font-weight: bold;">t_check_trans() as </span>follow will I able to absorb the retransmitted INVITE ?<br><br> if (!allow_trusted()) {<br>
if (!proxy_authorize("","subscriber")) {<br>
<span style="font-weight: bold;"> if(!lookup("location") && ! t_check_trans() ){</span><br>
proxy_challenge("","0");<br>
exit;<br>
}<br>
} else if (!check_from()) {<br>
sl_send_reply("403", "Spoofed From-URI detected");<br>
xlog("L_INFO","Spoofed From-URI detected ! from --> $fu -- IP $si PORT:$sp");<br>
exit;<br>
}<br>
if(is_present_hf("Proxy-Authorization")){<br>
consume_credentials();<br>
}<br>
}<br><br>modparam("auth", "disable_nonce_check", 1) setting this is not a good idea i think.<br><br>thanks<br><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Pasan Meemaduma <pasandev@ymail.com><br><b><span style="font-weight: bold;">To:</span></b> OpenSIPS users mailling list <users@lists.opensips.org><br><b><span style="font-weight: bold;">Sent:</span></b> Monday, July 12, 2010 16:46:26<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br></font><br><meta http-equiv="x-dns-prefetch-control" content="off"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div>Hi Bogdan,<br><br>Thanks for the quick
reply,<br><br>What I now suspect is the security mechanism for stale nonces introduced in later 1.4 causing this. The identical configuration works fine with opensips 1.4<br><br>This problem started to appear after I upgrade server from openser to opensips about a month ago. <br><br>Loosing registration is the most worst problem since its affecting incoming calls.<br><br>For the moment what I did was add the following in my opensips.cfg after going through the mailing list archives.<br><br><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">modparam("auth", "disable_nonce_check", 1)<br><br>As I understood opensips reject nonce which is used before even if it send with correct credentials. This could be the problem
that Re-INVITEs get 407 .<br><br>I can't do much changes to observe more debuging information like setting set debug =6 as this is a production server.<br><br>I'm going to apply the new setting modparam("auth", "disable_nonce_check", 1) tomorrow on our offpeak time and see whether it will resolve the problem.<br><br>I'll get back to here tomorrow with the results.<br><br><br><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Bogdan-Andrei Iancu <bogdan@voice-system.ro><br><b><span style="font-weight: bold;">To:</span></b> OpenSIPS users mailling list <users@lists.opensips.org><br><b><span style="font-weight: bold;">Sent:</span></b> Monday, July 12, 2010 15:46:18<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br></font><br>Hi Pasan,<br><br>first,
for non-REGISTER requests use only the proxy_XXXX() functions.<br><br>For debugging the failure, try:<br><br>1) print the return code of the proxy_authorize() (use $retcode) - see <br><a rel="nofollow" target="_blank" href="http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340">http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340</a><br><br>2) set debug =6 and post the log corresponding to the INVITE processing .<br><br>Regards,<br>Bogdan<br><br>Pasan Meemaduma wrote:<br>> Hi All,<br>><br>> I'm having trouble with my authentication routine with opensips 1.5<br>><br>> I'm currently using opensips 1.5.3-1<br>><br>> And there are lot of voip equipments using this production server.<br>><br>> problem is that sometimes for some sip clients <br>> proxy_authorize("","subscriber") returns false even with correct <br>> credentials.<br>><br>> basically most of the times this happens to
Re-INVITEs in a
dialogue <br>> (messages with Proxy-Authorization Header).<br>><br>> This is causing in progress calls being failed. sip client gives up <br>> when it changes again.<br>><br>> And another problem is with www_authorize("", "subscriber")<br>><br>> It has the same problem returns false even with correct credentials. <br>> and this happens randomly so , its hard to figure out why .<br>><br>> does any one else having problem with simillar issues with using these <br>> routines ?<br>><br>> Is it a bug in these routines ?<br>><br>> Is there a new release for 1.5 branch which has fixed this sort of a <br>> problem.<br>><br>> any help on this would be very appreciated.<br>><br>> currently server has more than 8000 entries in location table at any <br>> given time and handles more than 3000 calls per day.<br>><br>> following is one such sip trace that i got from a call<br>><br>><br>>
Even the re- INVITE has correct Proxy-Authorization header present <br>> opensips change it again.<br>><br>> U 2010/06/24 16:03:40.466974 y.y.y.y:5060 -> x.x.x.x:5060<br>> INVITE sip:<a rel="nofollow" ymailto="mailto:1234567890@x.x.x.x" target="_blank" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> SIP/2.0.<br>> To: <sip:<a rel="nofollow" ymailto="mailto:1234567890@x.x.x.x" target="_blank" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>.<br>> From: "abcdefgh" <sip:<a rel="nofollow" ymailto="mailto:abcdefgh@x.x.x.x" target="_blank" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>>;tag=252070.<br>> Call-ID: 444603gj@192.168.1.20.<br>> CSeq: 5 INVITE.<br>> Via: SIP/2.0/UDP 192.168.1.20:5060;branch=z9hG4bK155910d13;rport.<br>> Allow: ACK,BYE,CANCEL,INVITE,INFO,NOTIFY,OPTIONS,PRACK,REFER,UPDATE.<br>> Contact: <sip:abcdefgh@192.168.1.20:5060>.<br>> Supported:
replaces,precondition.<br>> Accept: application/sdp,application/cpim-pidf+xml.<br>> Expires:
240.<br>> User-Agent: BiPAC 7404VGPX 5.53.s6.b1.<br>> Accept-Language: en.<br>> Content-Type: application/sdp.<br>> Content-Length: 306.<br>> Content-Language: en.<br>> Content-Disposition: session.<br>> Max-Forwards: 70.<br>> Proxy-Authorization: Digest <br>> username="abcdefgh",realm="x.x.x.x",nonce="4c22f542000042ba42dd84f4cd197a73f815b9c34124752c",uri="sip:<a rel="nofollow" ymailto="mailto:1234567890@x.x.x.x" target="_blank" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>",response="32f7b1dfebfa87b20d1efe0e47019b81".<br>> .<br>> v=0.<br>> o=abcdefgh 862 862 IN IP4 192.168.1.20.<br>> s=-.<br>> c=IN IP4 192.168.1.20.<br>> t=0 0.<br>> m=audio 5100 RTP/AVP 18 0 8 101.<br>> a=rtpmap:18 G729/8000.<br>> a=rtpmap:0 PCMU/8000.<br>> a=rtpmap:8 PCMA/8000.<br>> a=rtpmap:101 telephone-event/8000.<br>> a=fmtp:101 0-15,66,70.<br>> a=curr:qos e2e send.<br>> a=des:qos optional e2e
sendrecv.<br>>
a=sendrecv.<br>><br>><br>> U 2010/06/24 16:03:40.468557 x.x.x.x:5060 -> y.y.y.y:5060<br>> SIP/2.0 407 Proxy Authentication Required.<br>> To: <sip:<a rel="nofollow" ymailto="mailto:1234567890@x.x.x.x" target="_blank" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>;tag=a1270bde159848b15079f3c250cc0b75.56af.<br>> From: "abcdefgh" <sip:<a rel="nofollow" ymailto="mailto:abcdefgh@x.x.x.x" target="_blank" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>>;tag=252070.<br>> Call-ID: 444603gj@192.168.1.20.<br>> CSeq: 5 INVITE.<br>> Via: SIP/2.0/UDP <br>> 192.168.1.20:5060;branch=z9hG4bK155910d13;rport=5060;received=y.y.y.y.<br>> Proxy-Authenticate: Digest realm="x.x.x.x", <br>> nonce="4c22f55a00004fac9c389333991faa357d4dda38f4b9159f".<br>> Server: Voip.<br>> Content-Length: 0.<br>><br>><br>><br>><br>>
------------------------------------------------------------------------<br>><br>>
_______________________________________________<br>> Users mailing list<br>> <a rel="nofollow" ymailto="mailto:Users@lists.opensips.org" target="_blank" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>> <a rel="nofollow" target="_blank" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>> <br><br><br>-- <br>Bogdan-Andrei Iancu<br>OpenSIPS Bootcamp<br>20 - 24 September 2010, Frankfurt, Germany<br>www.voice-system.ro<br><br><br>_______________________________________________<br>Users mailing list<br><a rel="nofollow" ymailto="mailto:Users@lists.opensips.org" target="_blank" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br><a rel="nofollow" target="_blank" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br></div></div>
</div><br><meta http-equiv="x-dns-prefetch-control" content="on"></div></div>
</div><br></body></html>