<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div>Hi Bogdan,<br><br>I tired the following authentication routine and I had a different problem were opensips keep on rejecting the authorized INVITEs after adding t_newtran() to auth routine<br>I have also comment the,<br>#modparam("auth", "disable_nonce_check", 1) line<br><br>So My retransmit INVITE absorbtion didn't work and introduce a different problem.<br><br>After I add t_newtran(); as below opensips keep on challenging with proxy authorize for vaild INVITEs with Proxy-Authorization Header.<br><br>Any clue ?<br><br>thanks<br><br>> if (!allow_trusted()) {<br>> t_newtran();<br>> <span style="font-weight: bold;"> if (!proxy_authorize("","subscriber"))
{</span> looks like this condition started to return false all the time causing outgoing calls being failed<br>> if(!lookup("location") ){<br>> proxy_challenge("","0");<br>> exit;<br>> }<br>> } else if (!check_from()) {<br>> sl_send_reply("403", "Spoofed From-URI detected");<br>> xlog("L_INFO","Spoofed From-URI detected ! from --> $fu<br>> -- IP $si PORT:$sp");<br>> exit;<br>> }<br>> if(is_present_hf("Proxy-Authorization")){<br>>
consume_credentials();<br>> }<br>> }<br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Bogdan-Andrei Iancu <bogdan@voice-system.ro><br><b><span style="font-weight: bold;">To:</span></b> OpenSIPS users mailling list <users@lists.opensips.org><br><b><span style="font-weight: bold;">Sent:</span></b> Sunday, August 1, 2010 20:29:11<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br></font><br>Hi Pasan,<br><br>Pasan Meemaduma wrote:<br>> Hi Bogdan,<br>><br>> I'm bit confused.<br>><br>> If I add t_newtran() as follow to by authentication route will it <br>> affect the
original INVITEs ?<br>no, it will not.<br>><br>> There's no much details about t_newtran() function in documentation.<br>It just create the transaction<br>><br>> will this function create a new transaction for retransmitted INVITEs <br>> and allow to by pass the proxy_authorize("","subscriber")?<br>I advice you to read the SIP RFC3261 - all retransmissions of a request <br>belong to the same transaction.<br>><br>> will this affect the accounting anyway ?<br>no.<br><br>Regards,<br>Bogdan<br><br>><br>> thanks<br>><br>> ------------------------------------------------------------------------<br>> *From:* Bogdan-Andrei Iancu <<a ymailto="mailto:bogdan@voice-system.ro" href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a>><br>> *To:* OpenSIPS users mailling list <<a ymailto="mailto:users@lists.opensips.org" href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>><br>> *Sent:*
Thursday, July 29, 2010 15:26:47<br>> *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br>><br>> Hi Pasan,<br>><br>> Better try something like:<br>><br>><br>> if (!allow_trusted()) {<br>> t_newtran();<br>> if (!proxy_authorize("","subscriber")) {<br>> if(!lookup("location") ){<br>> proxy_challenge("","0");<br>> exit;<br>> }<br>> } else if (!check_from()) {<br>> sl_send_reply("403", "Spoofed From-URI detected");<br>> xlog("L_INFO","Spoofed From-URI detected ! from --> $fu<br>> -- IP $si
PORT:$sp");<br>> exit;<br>> }<br>> if(is_present_hf("Proxy-Authorization")){<br>> consume_credentials();<br>> }<br>> }<br>><br>><br>> the t_check_tran() function check is the transaction already exists (for<br>> retransmissions), but it is not creating the transaction.<br>><br>> Best regards,<br>> Bogdan<br>><br>><br>> Pasan Meemaduma wrote:<br>> > Hi Bogdan,<br>> ><br>> > My authentication route is as follow,<br>> ><br>> > if (!allow_trusted()) {<br>> > if (!proxy_authorize("","subscriber")) {<br>> > if(!lookup("location") ){<br>> >
proxy_challenge("","0");<br>> > exit;<br>> > }<br>> > } else if (!check_from()) {<br>> > sl_send_reply("403", "Spoofed From-URI detected");<br>> > xlog("L_INFO","Spoofed From-URI detected ! from --><br>> > $fu -- IP $si PORT:$sp");<br>> > exit;<br>> > }<br>> > if(is_present_hf("Proxy-Authorization")){<br>> > consume_credentials();<br>> > }<br>> > }<br>> ><br>> > This route is before the dispatch route (t_relay())<br>> > I think retransmitted INVITEs get block by this route
so If I use the<br>> > t_check_trans() as follow will I able to absorb the retransmitted<br>> > INVITE ?<br>> ><br>> > if (!allow_trusted()) {<br>> > if (!proxy_authorize("","subscriber")) {<br>> > if(!lookup("location") && ! t_check_trans() ){<br>> > proxy_challenge("","0");<br>> > exit;<br>> > }<br>> > } else if (!check_from()) {<br>> > sl_send_reply("403", "Spoofed From-URI detected");<br>> > xlog("L_INFO","Spoofed From-URI detected ! from --><br>> > $fu -- IP $si PORT:$sp");<br>> >
exit;<br>> > }<br>> > if(is_present_hf("Proxy-Authorization")){<br>> > consume_credentials();<br>> > }<br>> > }<br>> ><br>> > modparam("auth", "disable_nonce_check", 1) setting this is not a good<br>> > idea i think.<br>> ><br>> > thanks<br>> ><br>> ><br>> > ------------------------------------------------------------------------<br>> > *From:* Pasan Meemaduma <<a ymailto="mailto:pasandev@ymail.com" href="mailto:pasandev@ymail.com">pasandev@ymail.com</a> <mailto:<a ymailto="mailto:pasandev@ymail.com" href="mailto:pasandev@ymail.com">pasandev@ymail.com</a>>><br>> > *To:* OpenSIPS users mailling list <<a ymailto="mailto:users@lists.opensips.org"
href="mailto:users@lists.opensips.org">users@lists.opensips.org</a> <br>> <mailto:<a ymailto="mailto:users@lists.opensips.org" href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>>><br>> > *Sent:* Monday, July 12, 2010 16:46:26<br>> > *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br>> ><br>> > Hi Bogdan,<br>> ><br>> > Thanks for the quick reply,<br>> ><br>> > What I now suspect is the security mechanism for stale nonces<br>> > introduced in later 1.4 causing this. The identical configuration<br>> > works fine with opensips 1.4<br>> ><br>> > This problem started to appear after I upgrade server from openser to<br>> > opensips about a month ago.<br>> ><br>> > Loosing registration is the most worst problem since its affecting<br>> > incoming calls.<br>> ><br>> > For the moment what I did was add
the following in my opensips.cfg<br>> > after going through the mailing list archives.<br>> ><br>> ><br>> > modparam("auth", "disable_nonce_check", 1)<br>> ><br>> > As I understood opensips reject nonce which is used before even if it<br>> > send with correct credentials. This could be the problem that<br>> > Re-INVITEs get 407 .<br>> ><br>> > I can't do much changes to observe more debuging information like<br>> > setting set debug =6 as this is a production server.<br>> ><br>> > I'm going to apply the new setting modparam("auth",<br>> > "disable_nonce_check", 1) tomorrow on our offpeak time and see whether<br>> > it will resolve the problem.<br>> ><br>> > I'll get back to here tomorrow with the results.<br>> ><br>> ><br>> ><br>> > ------------------------------------------------------------------------<br>> >
*From:* Bogdan-Andrei Iancu <<a ymailto="mailto:bogdan@voice-system.ro" href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a> <br>> <mailto:<a ymailto="mailto:bogdan@voice-system.ro" href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a>>><br>> > *To:* OpenSIPS users mailling list <<a ymailto="mailto:users@lists.opensips.org" href="mailto:users@lists.opensips.org">users@lists.opensips.org</a> <br>> <mailto:<a ymailto="mailto:users@lists.opensips.org" href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>>><br>> > *Sent:* Monday, July 12, 2010 15:46:18<br>> > *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??<br>> ><br>> > Hi Pasan,<br>> ><br>> > first, for non-REGISTER requests use only the proxy_XXXX() functions.<br>> ><br>> > For debugging the failure, try:<br>> ><br>> > 1) print the return code of the
proxy_authorize() (use $retcode) - see<br>> > <a href="http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340" target="_blank">http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340</a><br>> ><br>> > 2) set debug =6 and post the log corresponding to the INVITE <br>> processing .<br>> ><br>> > Regards,<br>> > Bogdan<br>> ><br>> > Pasan Meemaduma wrote:<br>> > > Hi All,<br>> > ><br>> > > I'm having trouble with my authentication routine with opensips 1.5<br>> > ><br>> > > I'm currently using opensips 1.5.3-1<br>> > ><br>> > > And there are lot of voip equipments using this production server.<br>> > ><br>> > > problem is that sometimes for some sip clients<br>> > > proxy_authorize("","subscriber") returns false even with correct<br>> > > credentials.<br>> >
><br>> > > basically most of the times this happens to Re-INVITEs in a dialogue<br>> > > (messages with Proxy-Authorization Header).<br>> > ><br>> > > This is causing in progress calls being failed. sip client gives up<br>> > > when it changes again.<br>> > ><br>> > > And another problem is with www_authorize("", "subscriber")<br>> > ><br>> > > It has the same problem returns false even with correct credentials.<br>> > > and this happens randomly so , its hard to figure out why .<br>> > ><br>> > > does any one else having problem with simillar issues with using these<br>> > > routines ?<br>> > ><br>> > > Is it a bug in these routines ?<br>> > ><br>> > > Is there a new release for 1.5 branch which has fixed this sort of a<br>> > > problem.<br>> > ><br>> > > any help on this
would be very appreciated.<br>> > ><br>> > > currently server has more than 8000 entries in location table at any<br>> > > given time and handles more than 3000 calls per day.<br>> > ><br>> > > following is one such sip trace that i got from a call<br>> > ><br>> > ><br>> > > Even the re- INVITE has correct Proxy-Authorization header present<br>> > > opensips change it again.<br>> > ><br>> > > U 2010/06/24 16:03:40.466974 y.y.y.y:5060 -> x.x.x.x:5060<br>> > > INVITE sip:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>> <br>> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <mailto:<a ymailto="mailto:1234567890@x.x.x.x"
href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>> SIP/2.0.<br>> > > To: <sip:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>> <br>> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>>>.<br>> > > From: "abcdefgh" <sip:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a> <mailto:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>><br>> > <mailto:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a> <mailto:<a ymailto="mailto:abcdefgh@x.x.x.x"
href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>>>>;tag=252070.<br>> > > Call-ID: 444603gj@192.168.1.20.<br>> > > CSeq: 5 INVITE.<br>> > > Via: SIP/2.0/UDP 192.168.1.20:5060;branch=z9hG4bK155910d13;rport.<br>> > > Allow: ACK,BYE,CANCEL,INVITE,INFO,NOTIFY,OPTIONS,PRACK,REFER,UPDATE.<br>> > > Contact: <sip:abcdefgh@192.168.1.20:5060>.<br>> > > Supported: replaces,precondition.<br>> > > Accept: application/sdp,application/cpim-pidf+xml.<br>> > > Expires: 240.<br>> > > User-Agent: BiPAC 7404VGPX 5.53.s6.b1.<br>> > > Accept-Language: en.<br>> > > Content-Type: application/sdp.<br>> > > Content-Length: 306.<br>> > > Content-Language: en.<br>> > > Content-Disposition: session.<br>> > > Max-Forwards: 70.<br>> > > Proxy-Authorization: Digest<br>> > ><br>> > <br>>
username="abcdefgh",realm="x.x.x.x",nonce="4c22f542000042ba42dd84f4cd197a73f815b9c34124752c",uri="sip:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <br>> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>><br>> > <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <br>> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>>",response="32f7b1dfebfa87b20d1efe0e47019b81".<br>> > > .<br>> > > v=0.<br>> > > o=abcdefgh 862 862 IN IP4 192.168.1.20.<br>> > > s=-.<br>> > > c=IN IP4 192.168.1.20.<br>> > > t=0 0.<br>> > > m=audio 5100 RTP/AVP 18 0 8 101.<br>> > > a=rtpmap:18 G729/8000.<br>> > > a=rtpmap:0 PCMU/8000.<br>> > > a=rtpmap:8
PCMA/8000.<br>> > > a=rtpmap:101 telephone-event/8000.<br>> > > a=fmtp:101 0-15,66,70.<br>> > > a=curr:qos e2e send.<br>> > > a=des:qos optional e2e sendrecv.<br>> > > a=sendrecv.<br>> > ><br>> > ><br>> > > U 2010/06/24 16:03:40.468557 x.x.x.x:5060 -> y.y.y.y:5060<br>> > > SIP/2.0 407 Proxy Authentication Required.<br>> > > To: <sip:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>><br>> > <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a> <br>> <mailto:<a ymailto="mailto:1234567890@x.x.x.x" href="mailto:1234567890@x.x.x.x">1234567890@x.x.x.x</a>>>>;tag=a1270bde159848b15079f3c250cc0b75.56af.<br>> > > From: "abcdefgh"
<sip:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a> <mailto:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>><br>> > <mailto:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a> <mailto:<a ymailto="mailto:abcdefgh@x.x.x.x" href="mailto:abcdefgh@x.x.x.x">abcdefgh@x.x.x.x</a>>>>;tag=252070.<br>> > > Call-ID: 444603gj@192.168.1.20.<br>> > > CSeq: 5 INVITE.<br>> > > Via: SIP/2.0/UDP<br>> > > 192.168.1.20:5060;branch=z9hG4bK155910d13;rport=5060;received=y.y.y.y.<br>> > > Proxy-Authenticate: Digest realm="x.x.x.x",<br>> > > nonce="4c22f55a00004fac9c389333991faa357d4dda38f4b9159f".<br>> > > Server: Voip.<br>> > > Content-Length: 0.<br>> > ><br>> > ><br>> > ><br>> > ><br>><br>><br>> -- <br>>
Bogdan-Andrei Iancu<br>> OpenSIPS Bootcamp<br>> 20 - 24 September 2010, Frankfurt, Germany<br>> www.voice-system.ro<br>><br>><br>> _______________________________________________<br>> Users mailing list<br>> <a ymailto="mailto:Users@lists.opensips.org" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a> <mailto:<a ymailto="mailto:Users@lists.opensips.org" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>><br>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>><br>> ------------------------------------------------------------------------<br>><br>> _______________________________________________<br>> Users mailing list<br>> <a ymailto="mailto:Users@lists.opensips.org" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>> <a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>> <br><br><br>-- <br>Bogdan-Andrei Iancu<br>OpenSIPS Bootcamp<br>20 - 24 September 2010, Frankfurt, Germany<br>www.voice-system.ro<br><br><br>_______________________________________________<br>Users mailing list<br><a ymailto="mailto:Users@lists.opensips.org" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br></div></div>
</div><br></body></html>