<div dir="ltr"><div>Theoretically i agree that disable_nonce_check should take care of stale nonce problem, but in practice (using opensips 1.8.x), i observed that reducing nonce_expire actually works. So set nonce_expire to about 5 seconds and try again.<br>
<br></div><div>Also make sure to,<br><br></div><div>1. use same db backend for both opensips servers.<br></div><div>2. use reasonable DNS expiry, e.g. at least 300 seconds. I recommend enforcing registration expiry just under DNS expiry (typically DNS expiry - 5 seconds), so user re-registers with same server it started up with.<br>
</div><div></div><div><br></div>Whether it works or not, you should open a ticket in bug tracker so this behavior is corrected.<br><div><br></div><div>Thank you.<br><br><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Jan 2, 2014 at 4:08 PM, Kevin Mathy <span dir="ltr"><<a href="mailto:k.mathy@hexanet.fr" target="_blank">k.mathy@hexanet.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">An update about my previous mail :<div><br></div><div>I've tried to change the "disable_nonce_check" value, and set it to "0". The result is all the same, but there's a difference in the logs.</div>
<div><br></div><div>With <b>disable_nonce_check</b> set to <b>1</b> :</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '<br>
Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03] and [52c5766c4e6664d7e26e5799601c34086c63cd66]<br>Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:pre_auth: invalid nonce value received<br>
Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '<br>
Jan 2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:pre_auth: stale nonce value received<br>Jan 2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c576918f68aa904540e6467d5a82697ba4b660", stale=true^M '</blockquote>
</div><div><br></div><div><br></div><div>and with <b>disable_nonce_check</b> set to <b>0</b> :</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:pre_auth: invalid nonce value received<br>Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1, index= 17<br>
Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e", stale=true^M '<br>
Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:pre_auth: invalid nonce value received<br>Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1, index= 18<br>
Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:build_auth_hf: nonce index= 18<br>Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06", stale=true^M '</blockquote>
</div><div><br></div><div><br></div><div>It seems that the disable check nonce function doesn't completely disable the nonce checking, as there's still an inspection whatever is the value set.</div><div><br></div>
<div>Thanks for your help, </div><div><br></div><div>Kevin</div><div><br></div></div><div class="gmail_extra"><div class="im"><br clear="all"><div><b><div><span style="font-weight:normal">Bien cordialement, </span></div>
<div><span style="font-weight:normal">Best Regards, </span></div>
<div><span style="font-weight:normal"><br></span></div></b><b>Kevin MATHY</b> |<b> </b>Ingénieur VoIP<br><div><div><b><br></b></div></div></div>
<br><br></div><div><div class="h5"><div class="gmail_quote">2014/1/2 Kevin Mathy <span dir="ltr"><<a href="mailto:k.mathy@hexanet.fr" target="_blank">k.mathy@hexanet.fr</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi List, <div><br></div><div>I'm trying to make the SIP Registering working for my customers with two Opensips 1.9 servers sharing the same DNS name.</div><div><br></div><div>Here is a schematic : </div>
<div><br></div><div> /=====> Registrar Server 1</div><div>SIP Phone =====> Access SBC </div><div> \=====> Registrar Server 2</div>
<div><br></div><div><br></div><div>I've got the same opensips.cfg on both servers, and here are some interesting points of the config : </div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
loadmodule "auth_db.so"<br># ----- auth_db params -----<br>modparam("auth_db", "calculate_ha1", yes)<br>modparam("auth_db", "use_domain", no)<br>modparam("auth_db", "user_column", "username")<br>
modparam("auth_db", "password_column", "password")<br>modparam("auth_db", "password_column_2", "ha1b")<br>modparam("auth_db", "db_url","mysql://****************************************** ")<br>
modparam("auth_db", "load_credentials", "$avp(password)=password")<br><br># ----------------- module auth ---------------<br>loadmodule "auth.so"<br># ----- auth params -----<br>modparam("auth","username_spec","$var(username)")<br>
modparam("auth","password_spec","$avp(password)")<br>modparam("auth","calculate_ha1",1)<br><b>modparam("auth","disable_nonce_check", 1)</b></blockquote>
<div><br></div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
if (is_method("REGISTER"))<br> {<br> xlog("L_INFO","$ci -- New REGISTER received from $si with Contact : $ct\n");<br> <br> if (!www_authorize("", "subscriber"))<br>
{<br> if ($rc < 0)<br> {<br> switch ($rc)<br> {<br> case -5:<br> xlog("L_INFO","$ci -- REGISTER Failed because of : Generic Error");<br>
break;<br> case -4:<br> xlog("L_INFO","$ci -- REGISTER Failed because of : No Credentials");<br> break;<br> case -3:<br>
xlog("L_INFO","$ci -- REGISTER Failed because of : Stale nonce");<br> break;<br> case -2:<br> xlog("L_INFO","$ci -- REGISTER Failed because of : Valid User but Wrong Password");<br>
break;<br> case -1:<br> xlog("L_INFO","$ci -- REGISTER Failed because of : Invalid User");<br> break;<br> }<br>
}<br> www_challenge("", "0");<br> exit;<br> }<br><br> if (!save("location"))<br> {<br> xlog("L_INFO","$ci -- error with save_location from $au\n");<br>
}<br> else<br> {<br> xlog("L_INFO","$ci -- save_location is OK from $au\n");<br> }<br><br> exit;<br> }</blockquote></div><div><br></div><div><br></div>
<div>So, as you can see, I configured the auth module with "disable_nonce_check" parameter, because of my "loadbalanced" architecture as it's said in the documentation (<a href="http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075" target="_blank">http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075</a>) .</div>
<div><br></div><div>But, when a SIP Phone tries to register, the first Register (without any credentials) is sent to the 1st Registrar. It's answered with a 401 Unauthorized containing a nonce.</div><div>Then, the 2nd Register (with credentials, and the previously given nonce) is sent to the 2nd Registrar; but it's still answered with a 401. </div>
<div><br></div><div>Thanks to the return code of www_authorize, I see that it's for the "Stale Nonce" reason, even if "disable_nonce_check" is set to 1 ...</div><div><br></div><div>Maybe there's a misconfiguration, or a bug; so, I need your help :-)</div>
<div><br></div><div>Thanks a lot, </div><div><br></div><div><br clear="all"><div><b><div><span style="font-weight:normal">Bien cordialement, </span></div><div><span style="font-weight:normal">Best Regards, </span></div><span><font color="#888888"><div>
<span style="font-weight:normal"><br></span></div></font></span></b><span><font color="#888888"><b>Kevin MATHY</b> |<b> </b>Ingénieur VoIP<br><div><div><b><br></b></div></div></font></span></div>
</div></div>
</blockquote></div><br></div></div></div>
<br>
<img><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div><span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Mit freundlichen Grüßen</span></div><span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Muhammad Shahzad</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">------------------------------</span><span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">-----</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">CISCO Rich Media Communication Specialist (CRMCS)</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">CISCO Certified Network Associate (CCNA)</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Cell: +49 176 99 83 10 85</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">MSN: </span><a href="mailto:shari_786pk@hotmail.com" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)" target="_blank">shari_786pk@hotmail.com</a><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Email: </span><a href="mailto:shaheryarkh@googlemail.com" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)" target="_blank">shaheryarkh@googlemail.com</a>
</div>