<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div>Hi Bogdan,<br><br>I'm bit confused. <br><br>If I add t_newtran() as follow to by authentication route will it affect the original INVITEs ?<br><br>There's no much details about t_newtran() function in documentation.<br><br>will this function create a new transaction for retransmitted INVITEs and allow to by pass the proxy_authorize("","subscriber")?<br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br>will this affect the accounting anyway ?<br><br>thanks<br><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Bogdan-Andrei Iancu <bogdan@voice-system.ro><br><b><span style="font-weight: bold;">To:</span></b> OpenSIPS users
mailling list <users@lists.opensips.org><br><b><span style="font-weight: bold;">Sent:</span></b> Thursday, July 29, 2010 15:26:47<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br></font><br>Hi Pasan,<br><br>Better try something like:<br><br><br> if (!allow_trusted()) {<br> t_newtran();<br> if (!proxy_authorize("","subscriber")) {<br> if(!lookup("location") ){<br> proxy_challenge("","0");<br> exit;<br> }<br> } else if (!check_from()) {<br> sl_send_reply("403", "Spoofed From-URI detected");<br>
xlog("L_INFO","Spoofed From-URI detected ! from --> $fu <br>-- IP $si PORT:$sp");<br> exit;<br> }<br> if(is_present_hf("Proxy-Authorization")){<br> consume_credentials();<br> }<br> }<br><br><br>the t_check_tran() function check is the transaction already exists (for <br>retransmissions), but it is not creating the transaction.<br><br>Best regards,<br>Bogdan<br><br><br>Pasan Meemaduma wrote:<br>> Hi Bogdan,<br>><br>> My authentication route is as follow,<br>><br>> if (!allow_trusted()) {<br>> if (!proxy_authorize("","subscriber")) {<br>> if(!lookup("location") ){<br>> proxy_challenge("","0");<br>>
exit;<br>> }<br>> } else if (!check_from()) {<br>> sl_send_reply("403", "Spoofed From-URI detected");<br>> xlog("L_INFO","Spoofed From-URI detected ! from --> <br>> $fu -- IP $si PORT:$sp");<br>> exit;<br>> }<br>> if(is_present_hf("Proxy-Authorization")){<br>> consume_credentials();<br>> }<br>> }<br>><br>> This route is before the dispatch route (t_relay())<br>> I think retransmitted INVITEs get block by this route so If I use the <br>> t_check_trans() as follow will I able to absorb the retransmitted <br>>
INVITE ?<br>><br>> if (!allow_trusted()) {<br>> if (!proxy_authorize("","subscriber")) {<br>> if(!lookup("location") && ! t_check_trans() ){<br>> proxy_challenge("","0");<br>> exit;<br>> }<br>> } else if (!check_from()) {<br>> sl_send_reply("403", "Spoofed From-URI detected");<br>> xlog("L_INFO","Spoofed From-URI detected ! from --> <br>> $fu -- IP $si PORT:$sp");<br>> exit;<br>> }<br>> if(is_present_hf("Proxy-Authorization")){<br>>
consume_credentials();<br>> }<br>> }<br>><br>> modparam("auth", "disable_nonce_check", 1) setting this is not a good <br>> idea i think.<br>><br>> thanks<br>><br>><br>> ------------------------------------------------------------------------<br>> *From:* Pasan Meemaduma <<a ymailto="mailto:pasandev@ymail.com" href="mailto:pasandev@ymail.com">pasandev@ymail.com</a>><br>> *To:* OpenSIPS users mailling list <<a ymailto="mailto:users@lists.opensips.org" href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>><br>> *Sent:* Monday, July 12, 2010 16:46:26<br>> *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br>><br>> Hi Bogdan,<br>><br>> Thanks for the quick reply,<br>><br>> What I now suspect is the security mechanism for stale nonces <br>> introduced in later 1.4 causing
this. The identical configuration <br>> works fine with opensips 1.4<br>><br>> This problem started to appear after I upgrade server from openser to <br>> opensips about a month ago.<br>><br>> Loosing registration is the most worst problem since its affecting <br>> incoming calls.<br>><br>> For the moment what I did was add the following in my opensips.cfg <br>> after going through the mailing list archives.<br>><br>><br>> modparam("auth", "disable_nonce_check", 1)<br>><br>> As I understood opensips reject nonce which is used before even if it <br>> send with correct credentials. This could be the problem that <br>> Re-INVITEs get 407 .<br>><br>> I can't do much changes to observe more debuging information like <br>> setting set debug =6 as this is a production server.<br>><br>> I'm going to apply the new setting modparam("auth", <br>> "disable_nonce_check", 1) tomorrow on our
offpeak time and see whether <br>> it will resolve the problem.<br>><br>> I'll get back to here tomorrow with the results.<br>><br>><br>><br>> ------------------------------------------------------------------------<br>> *From:* Bogdan-Andrei Iancu <<a ymailto="mailto:bogdan@voice-system.ro" href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a>><br>> *To:* OpenSIPS users mailling list <<a ymailto="mailto:users@lists.opensips.org" href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>><br>> *Sent:* Monday, July 12, 2010 15:46:18<br>> *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br>><br>> Hi Pasan,<br>><br>> first, for non-REGISTER requests use only the proxy_XXXX() functions.<br>><br>> For debugging the failure, try:<br>><br>> 1) print the return code of the proxy_authorize() (use $retcode) - see<br>> <a
href="http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340" target="_blank">http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340</a><br>><br>> 2) set debug =6 and post the log corresponding to the INVITE processing .<br>><br>> Regards,<br>> Bogdan<br>><br>> Pasan Meemaduma wrote:<br>> > Hi All,<br>> ><br>> > I'm having trouble with my authentication routine with opensips 1.5<br>> ><br>> > I'm currently using opensips 1.5.3-1<br>> ><br>> > And there are lot of voip equipments using this production server.<br>> ><br>> > problem is that sometimes for some sip clients<br>> > proxy_authorize("","subscriber") returns false even with correct<br>> > credentials.<br>> ><br>> > basically most of the times this happens to Re-INVITEs in a dialogue<br>> > (messages with Proxy-Authorization Header).<br>> ><br>> >
This is causing in progress calls being failed. sip client gives up<br>> > when it changes again.<br>> ><br>> > And another problem is with www_authorize("", "subscriber")<br>> ><br>> > It has the same problem returns false even with correct credentials.<br>> > and this happens randomly so , its hard to figure out why .<br>> ><br>> > does any one else having problem with simillar issues with using these<br>> > routines ?<br>> ><br>> > Is it a bug in these routines ?<br>> ><br>> > Is there a new release for 1.5 branch which has fixed this sort of a<br>> > problem.<br>> ><br>> > any help on this would be very appreciated.<br>> ><br>> > currently server has more than 8000 entries in location table at any<br>> > given time and handles more than 3000 calls per day.<br>> ><br>> > following is one such sip trace that i got from a
call<br>> ><br>> ><br>> > Even the re- INVITE has correct Proxy-Authorization header present<br>> > opensips change it again.<br>> ><br>> > U 2010/06/24 16:03:40.466974 y.y.y.y:5060 -> x.x.x.x:5060<br>> > INVITE sip:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>> SIP/2.0.<br>> > To: <sip:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>>.<br>> > From: "abcdefgh" <sip:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a> <br>> <mailto:<a ymailto="mailto:abcdefgh@x.x.x.x"
href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>>>;tag=252070.<br>> > Call-ID: 444603gj@192.168.1.20.<br>> > CSeq: 5 INVITE.<br>> > Via: SIP/2.0/UDP 192.168.1.20:5060;branch=z9hG4bK155910d13;rport.<br>> > Allow: ACK,BYE,CANCEL,INVITE,INFO,NOTIFY,OPTIONS,PRACK,REFER,UPDATE.<br>> > Contact: <sip:abcdefgh@192.168.1.20:5060>.<br>> > Supported: replaces,precondition.<br>> > Accept: application/sdp,application/cpim-pidf+xml.<br>> > Expires: 240.<br>> > User-Agent: BiPAC 7404VGPX 5.53.s6.b1.<br>> > Accept-Language: en.<br>> > Content-Type: application/sdp.<br>> > Content-Length: 306.<br>> > Content-Language: en.<br>> > Content-Disposition: session.<br>> > Max-Forwards: 70.<br>> > Proxy-Authorization: Digest<br>> > <br>> username="abcdefgh",realm="x.x.x.x",nonce="4c22f542000042ba42dd84f4cd197a73f815b9c34124752c",uri="sip:<a
ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <br>> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>",response="32f7b1dfebfa87b20d1efe0e47019b81".<br>> > .<br>> > v=0.<br>> > o=abcdefgh 862 862 IN IP4 192.168.1.20.<br>> > s=-.<br>> > c=IN IP4 192.168.1.20.<br>> > t=0 0.<br>> > m=audio 5100 RTP/AVP 18 0 8 101.<br>> > a=rtpmap:18 G729/8000.<br>> > a=rtpmap:0 PCMU/8000.<br>> > a=rtpmap:8 PCMA/8000.<br>> > a=rtpmap:101 telephone-event/8000.<br>> > a=fmtp:101 0-15,66,70.<br>> > a=curr:qos e2e send.<br>> > a=des:qos optional e2e sendrecv.<br>> > a=sendrecv.<br>> ><br>> ><br>> > U 2010/06/24 16:03:40.468557 x.x.x.x:5060 -> y.y.y.y:5060<br>> > SIP/2.0 407 Proxy Authentication Required.<br>> > To: <sip:<a
ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <br>> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>>;tag=a1270bde159848b15079f3c250cc0b75.56af.<br>> > From: "abcdefgh" <sip:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a> <br>> <mailto:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>>>;tag=252070.<br>> > Call-ID: 444603gj@192.168.1.20.<br>> > CSeq: 5 INVITE.<br>> > Via: SIP/2.0/UDP<br>> > 192.168.1.20:5060;branch=z9hG4bK155910d13;rport=5060;received=y.y.y.y.<br>> > Proxy-Authenticate: Digest realm="x.x.x.x",<br>> > nonce="4c22f55a00004fac9c389333991faa357d4dda38f4b9159f".<br>> > Server: Voip.<br>> > Content-Length: 0.<br>> ><br>> ><br>> ><br>> ><br><br><br>--
<br>Bogdan-Andrei Iancu<br>OpenSIPS Bootcamp<br>20 - 24 September 2010, Frankfurt, Germany<br>www.voice-system.ro<br><br><br>_______________________________________________<br>Users mailing list<br><a ymailto="mailto:Users@lists.opensips.org" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br></div></div>
</div><br></body></html>