<div dir="ltr">An update about my previous mail :<div><br></div><div>I&#39;ve tried to change the &quot;disable_nonce_check&quot; value, and set it to &quot;0&quot;. The result is all the same, but there&#39;s a difference in the logs.</div>

<div><br></div><div>With <b>disable_nonce_check</b> set to <b>1</b> :</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]: DBG:auth:build_auth_hf: &#39;WWW-Authenticate: Digest realm=&quot;REDIRECT&quot;, nonce=&quot;52c5766c4e6664d7e26e5799601c34086c63cd66&quot;, stale=true^M &#39;<br>

Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03] and [52c5766c4e6664d7e26e5799601c34086c63cd66]<br>Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:pre_auth: invalid nonce value received<br>

Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:build_auth_hf: &#39;WWW-Authenticate: Digest realm=&quot;REDIRECT&quot;, nonce=&quot;52c5766c4e6664d7e26e5799601c34086c63cd66&quot;, stale=true^M &#39;<br>

Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:pre_auth: stale nonce value received<br>Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:build_auth_hf: &#39;WWW-Authenticate: Digest realm=&quot;REDIRECT&quot;, nonce=&quot;52c576918f68aa904540e6467d5a82697ba4b660&quot;, stale=true^M &#39;</blockquote>

</div><div><br></div><div><br></div><div>and with <b>disable_nonce_check</b> set to <b>0</b> :</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:pre_auth: invalid nonce value received<br>Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 17<br>

Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:build_auth_hf: &#39;WWW-Authenticate: Digest realm=&quot;REDIRECT&quot;, nonce=&quot;52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e&quot;, stale=true^M &#39;<br>

Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:pre_auth: invalid nonce value received<br>Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 18<br>

Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:build_auth_hf: nonce index= 18<br>Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:build_auth_hf: &#39;WWW-Authenticate: Digest realm=&quot;REDIRECT&quot;, nonce=&quot;52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06&quot;, stale=true^M &#39;</blockquote>

</div><div><br></div><div><br></div><div>It seems that the disable check nonce function doesn&#39;t completely disable the nonce checking, as there&#39;s still an inspection whatever is the value set.</div><div><br></div>

<div>Thanks for your help, </div><div><br></div><div>Kevin</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><b><div><span style="font-weight:normal">Bien cordialement, </span></div><div><span style="font-weight:normal">Best Regards, </span></div>

<div><span style="font-weight:normal"><br></span></div></b><b>Kevin MATHY</b> |<b> </b>Ingénieur VoIP<br><div><div><b><br></b></div></div></div>
<br><br><div class="gmail_quote">2014/1/2 Kevin Mathy <span dir="ltr">&lt;<a href="mailto:k.mathy@hexanet.fr" target="_blank">k.mathy@hexanet.fr</a>&gt;</span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr">Hi List, <div><br></div><div>I&#39;m trying to make the SIP Registering working for my customers with two Opensips 1.9 servers sharing the same DNS name.</div><div><br></div><div>Here is a schematic : </div>


<div><br></div><div>                                              /=====&gt; Registrar Server 1</div><div>SIP Phone =====&gt; Access SBC </div><div>                                              \=====&gt; Registrar Server 2</div>


<div><br></div><div><br></div><div>I&#39;ve got the same opensips.cfg on both servers, and here are some interesting points of the config : </div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">


loadmodule &quot;auth_db.so&quot;<br># ----- auth_db params -----<br>modparam(&quot;auth_db&quot;, &quot;calculate_ha1&quot;, yes)<br>modparam(&quot;auth_db&quot;, &quot;use_domain&quot;, no)<br>modparam(&quot;auth_db&quot;, &quot;user_column&quot;, &quot;username&quot;)<br>


modparam(&quot;auth_db&quot;, &quot;password_column&quot;, &quot;password&quot;)<br>modparam(&quot;auth_db&quot;, &quot;password_column_2&quot;, &quot;ha1b&quot;)<br>modparam(&quot;auth_db&quot;, &quot;db_url&quot;,&quot;mysql://****************************************** &quot;)<br>


modparam(&quot;auth_db&quot;, &quot;load_credentials&quot;, &quot;$avp(password)=password&quot;)<br><br># ----------------- module auth ---------------<br>loadmodule &quot;auth.so&quot;<br># ----- auth params -----<br>modparam(&quot;auth&quot;,&quot;username_spec&quot;,&quot;$var(username)&quot;)<br>


modparam(&quot;auth&quot;,&quot;password_spec&quot;,&quot;$avp(password)&quot;)<br>modparam(&quot;auth&quot;,&quot;calculate_ha1&quot;,1)<br><b>modparam(&quot;auth&quot;,&quot;disable_nonce_check&quot;, 1)</b></blockquote>


<div><br></div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">


 if (is_method(&quot;REGISTER&quot;))<br>    {<br>        xlog(&quot;L_INFO&quot;,&quot;$ci -- New REGISTER received from $si with Contact : $ct\n&quot;);<br>       <br>        if (!www_authorize(&quot;&quot;, &quot;subscriber&quot;))<br>


        {<br>            if ($rc &lt; 0)<br>            {<br>                switch ($rc)<br>                {<br>                    case -5:<br>                    xlog(&quot;L_INFO&quot;,&quot;$ci -- REGISTER Failed because of : Generic Error&quot;);<br>


                    break;<br>                    case -4:<br>                    xlog(&quot;L_INFO&quot;,&quot;$ci -- REGISTER Failed because of : No Credentials&quot;);<br>                    break;<br>                    case -3:<br>


                    xlog(&quot;L_INFO&quot;,&quot;$ci -- REGISTER Failed because of : Stale nonce&quot;);<br>                    break;<br>                    case -2:<br>                    xlog(&quot;L_INFO&quot;,&quot;$ci -- REGISTER Failed because of : Valid User but Wrong Password&quot;);<br>


                    break;<br>                    case -1:<br>                    xlog(&quot;L_INFO&quot;,&quot;$ci -- REGISTER Failed because of : Invalid User&quot;);<br>                    break;<br>                }<br>


            }<br>            www_challenge(&quot;&quot;, &quot;0&quot;);<br>            exit;<br>        }<br><br>        if (!save(&quot;location&quot;))<br>        {<br>            xlog(&quot;L_INFO&quot;,&quot;$ci -- error with save_location from $au\n&quot;);<br>


        }<br>        else<br>        {<br>            xlog(&quot;L_INFO&quot;,&quot;$ci -- save_location is OK from $au\n&quot;);<br>        }<br><br>        exit;<br>    }</blockquote></div><div><br></div><div><br></div>


<div>So, as you can see, I configured the auth module with &quot;disable_nonce_check&quot; parameter, because of my &quot;loadbalanced&quot; architecture as it&#39;s said in the documentation (<a href="http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075" target="_blank">http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075</a>) .</div>


<div><br></div><div>But, when a SIP Phone tries to register, the first Register (without any credentials) is sent to the 1st Registrar. It&#39;s answered with a 401 Unauthorized containing a nonce.</div><div>Then, the 2nd Register (with credentials, and the previously given nonce) is sent to the 2nd Registrar; but it&#39;s still answered with a 401. </div>


<div><br></div><div>Thanks to the return code of www_authorize, I see that it&#39;s for the &quot;Stale Nonce&quot; reason, even if &quot;disable_nonce_check&quot; is set to 1 ...</div><div><br></div><div>Maybe there&#39;s a misconfiguration, or a bug; so, I need your help :-)</div>


<div><br></div><div>Thanks a lot, </div><div><br></div><div><br clear="all"><div><b><div><span style="font-weight:normal">Bien cordialement, </span></div><div><span style="font-weight:normal">Best Regards, </span></div><span class="HOEnZb"><font color="#888888"><div>


<span style="font-weight:normal"><br></span></div></font></span></b><span class="HOEnZb"><font color="#888888"><b>Kevin MATHY</b> |<b> </b>Ingénieur VoIP<br><div><div><b><br></b></div></div></font></span></div>
</div></div>
</blockquote></div><br></div>

<br>
<img src="http://www.hexanet.fr/sites/files/hexanet/files/20130205_signature_hexanet.gif">