Re: [Asterisk-Users] What does the error stale nonce' mean?
On 10/3/05, Morten Isaksen [EMAIL PROTECTED] wrote: On 10/3/05, Olle E. Johansson [EMAIL PROTECTED] wrote: Does anyone know what stale nonce is?I've answered this question many times, so you should be able to find the answer...A stale nonce is when a device tries to re-authenticate with a noncethat is no longer valid. We are telling them that the nonce they used isinvalid, and re-issue a new challenge and a fresh nonce. It's just an informative message, that I propably should move away to a debug levelof some kind. I get this error when I use a Audiocodes MP-124 against Asterisk 1.2beta1 and asterisk refuses the call. When I useCVS-D2005.02.12.14.37.11-04/13/05-16:14:03 it works fine. I do not have access to the debug and log file now, but I will send them tomorrow. Here is the output from sip debug. I hope someone can explain what is wrong. -- SIP read from 10.131.2.1:5060:INVITE sip:[EMAIL PROTECTED];user=phone SIP/2.0Via: SIP/2.0/UDP 10.131.2.1 ;branch=z9hG4bKaciipncbQMax-Forwards: 70From: sip:[EMAIL PROTECTED];tag=1c1850211233To: sip:[EMAIL PROTECTED];user=phone Call-ID: [EMAIL PROTECTED]CSeq: 1 INVITEContact: sip:[EMAIL PROTECTED]Supported: em,100rel,timer,replaces,path Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATEUser-Agent: Audiocodes-Sip-Gateway-MP-124 FXS/v.4.60A.008.006Content-Type: application/sdpContent-Length: 242 v=0o=AudiocodesGW 644554 101011 IN IP4 10.131.2.1s=Phone-Callc=IN IP4 10.131.2.1t=0 0m=audio 6070 RTP/AVP 8 0 96a=rtpmap:8 pcma/8000 a=rtpmap:0 pcmu/8000a=rtpmap:96 telephone-event/8000a=fmtp:96 0-15a=ptime:20a=sendrecv --- (13 headers 12 lines)---Using INVITE request as basis request - [EMAIL PROTECTED]Sending to 10.131.2.1 : 5060 (non-NAT) Reliably Transmitting (no NAT) to 10.131.2.1:5060:SIP/2.0 407 Proxy Authentication RequiredVia: SIP/2.0/UDP 10.131.2.1;branch=z9hG4bKaciipncbQ From: sip:[EMAIL PROTECTED];tag=1c1850211233To: sip:[EMAIL PROTECTED];user=phone;tag=as6a339401Call-ID: [EMAIL PROTECTED]CSeq: 1 INVITEUser-Agent: Asterisk PBXAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFYContact: sip:[EMAIL PROTECTED]Proxy-Authenticate: Digest realm=asterisk, nonce=22a96479 Content-Length: 0 ---Scheduling destruction of call '[EMAIL PROTECTED]' in 15000 msFound user '070001'localhost*CLI-- SIP read from 10.131.2.1:5060:ACK sip:[EMAIL PROTECTED];user=phone SIP/2.0Via: SIP/2.0/UDP 10.131.2.1;branch=z9hG4bKaciipncbQMax-Forwards: 70From: sip:[EMAIL PROTECTED];tag=1c1850211233To: sip:[EMAIL PROTECTED];user=phone;tag=as6a339401Call-ID: [EMAIL PROTECTED]CSeq: 1 ACKContact: sip:[EMAIL PROTECTED]Supported: em,timer,replaces,pathAllow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE User-Agent: Audiocodes-Sip-Gateway-MP-124 FXS/v.4.60A.008.006Content-Length: 0 --- (12 headers 0 lines)---localhost*CLI-- SIP read from 10.131.2.1:5060:INVITE sip:[EMAIL PROTECTED];user=phone SIP/2.0 Via: SIP/2.0/UDP 10.131.2.1;branch=z9hG4bKaclMBIpvuMax-Forwards: 70From: sip:[EMAIL PROTECTED];tag=1c1850211233To: sip:[EMAIL PROTECTED];user=phoneCall-ID: [EMAIL PROTECTED]CSeq: 2 INVITEProxy-Authorization: Digest username=070001,realm=asterisk,nonce=22a96479 ,uri= sip:[EMAIL PROTECTED],algorithm=MD5,response=41cc6e74fc333e770fa28a7db158a495Contact: sip:[EMAIL PROTECTED]Supported: em,100rel,timer,replaces,path Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATEUser-Agent: Audiocodes-Sip-Gateway-MP-124 FXS/v.4.60A.008.006Content-Type: application/sdpContent-Length: 242 v=0o=AudiocodesGW 644554 101011 IN IP4 10.131.2.1s=Phone-Callc=IN IP4 10.131.2.1t=0 0m=audio 6070 RTP/AVP 8 0 96a=rtpmap:8 pcma/8000 a=rtpmap:0 pcmu/8000a=rtpmap:96 telephone-event/8000a=fmtp:96 0-15a=ptime:20a=sendrecv --- (14 headers 12 lines)---Using INVITE request as basis request - [EMAIL PROTECTED]Sending to 10.131.2.1 : 5060 (non-NAT) Oct 4 13:20:51 NOTICE[4078]: chan_sip.c:5710 check_auth: stale nonce received from 'sip:[EMAIL PROTECTED];user=phone'Reliably Transmitting (no NAT) to 10.131.2.1:5060:SIP/2.0 407 Proxy Authentication RequiredVia: SIP/2.0/UDP 10.131.2.1;branch=z9hG4bKaclMBIpvuFrom: sip:[EMAIL PROTECTED] ;tag=1c1850211233To: sip:[EMAIL PROTECTED];user=phone;tag=as6a339401Call-ID: [EMAIL PROTECTED]CSeq: 2 INVITE User-Agent: Asterisk PBXAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFYContact: sip:[EMAIL PROTECTED]Proxy-Authenticate: Digest realm=asterisk, nonce=0e317db4 Content-Length: 0 ---Scheduling destruction of call '[EMAIL PROTECTED]' in 15000 msFound user '070001'localhost*CLI-- SIP read from 10.131.2.1:5060:ACK sip:[EMAIL PROTECTED];user=phone SIP/2.0Via: SIP/2.0/UDP 10.131.2.1;branch=z9hG4bKaclMBIpvuMax-Forwards: 70From: sip:[EMAIL PROTECTED];tag=1c1850211233To: sip:[EMAIL PROTECTED];user=phone;tag=as6a339401Call-ID: [EMAIL PROTECTED]CSeq: 2 ACKContact: sip:[EMAIL PROTECTED]Supported: em,timer,replaces,pathAllow:
Re: [Asterisk-Users] What does the error stale nonce' mean?
Paul Conn wrote: I’m receiving the following error over and over, adnauseam: Oct 1 23:59:53 NOTICE[3194]: chan_sip.c:5890 check_auth: stale nonce received from ‘CNAME-CID sip:[EMAIL PROTECTED]’ Does anyone know what “stale nonce” is? I've answered this question many times, so you should be able to find the answer... A stale nonce is when a device tries to re-authenticate with a nonce that is no longer valid. We are telling them that the nonce they used is invalid, and re-issue a new challenge and a fresh nonce. It's just an informative message, that I propably should move away to a debug level of some kind. /Olle ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] What does the error stale nonce' mean?
I'm receiving the following error over and over, adnauseam: Oct 1 23:59:53 NOTICE[3194]: chan_sip.c:5890 check_auth: stale nonce received from 'CNAME-CID sip:[EMAIL PROTECTED]' In message itself no where it is written ERROR But thanks to Stewart and Olle for giving in depth information. /Gurmi ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] What does the error stale nonce' mean?
On Monday 03 Oct 2005 08:51, Olle E. Johansson wrote: Paul Conn wrote: I’m receiving the following error over and over, adnauseam: Oct 1 23:59:53 NOTICE[3194]: chan_sip.c:5890 check_auth: stale nonce received from ‘CNAME-CID sip:[EMAIL PROTECTED]’ Does anyone know what “stale nonce” is? I've answered this question many times, so you should be able to find the answer... A stale nonce is when a device tries to re-authenticate with a nonce that is no longer valid. We are telling them that the nonce they used is invalid, and re-issue a new challenge and a fresh nonce. It's just an informative message, that I propably should move away to a debug level of some kind. I wish someone had read a British dictionary before they decided to use this word It make no sense at all. B ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] What does the error stale nonce' mean?
On 10/3/05, Olle E. Johansson [EMAIL PROTECTED] wrote: Does anyone know what "stale nonce" is?I've answered this question many times, so you should be able to find the answer...A stale nonce is when a device tries to re-authenticate with a noncethat is no longer valid. We are telling them that the nonce they used isinvalid, and re-issue a new challenge and a fresh nonce. It's just an informative message, that I propably should move away to a debug levelof some kind. I get this error when I use a Audiocodes MP-124 against Asterisk 1.2beta1 and asterisk refuses the call. When I useCVS-D2005.02.12.14.37.11-04/13/05-16:14:03 it works fine. I do not have access to the debug and log file now, but I will send them tomorrow. /Morten ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] What does the error stale nonce' mean?
A stale nonce is more of a warning than an error. In SIP your authorization credentials are encoded in the SIP headers. To prevent people from capturing that data and using it later to make calls on your account a nonce is used. A nonce is a disposable number that is added to the string a hash algorithm will hash. This makes hashing algorithms (like md5) have different output. This is a common cryptography technique. The SIP RFC requires that the nonce randomly change periodically. If the client uses a nonce that was expired it is considered a 'stale nonce'. The client should then get the current nonce and use that instead. This message lets you know that the client tried to use a stale nonce, which can indicate someone trying a replay attack (using captured data from a previous session) or a client that isnt properly getting the new nonce, or even just timing issues as follows: Client gets a nonce. Client goes to register/reregister using that nonce At the same time the client is preparing the message to register/reregister the server chooses a new nonce Client sends the message with the now old nonce Then again it could be something else entirely :) On Mon, 2005-10-03 at 22:35 +0200, Morten Isaksen wrote: On 10/3/05, Olle E. Johansson [EMAIL PROTECTED] wrote: Does anyone know what stale nonce is? I've answered this question many times, so you should be able to find the answer... A stale nonce is when a device tries to re-authenticate with a nonce that is no longer valid. We are telling them that the nonce they used is invalid, and re-issue a new challenge and a fresh nonce. It's just an informative message, that I propably should move away to a debug level of some kind. I get this error when I use a Audiocodes MP-124 against Asterisk 1.2beta1 and asterisk refuses the call. When I use CVS-D2005.02.12.14.37.11-04/13/05-16:14:03 it works fine. I do not have access to the debug and log file now, but I will send them tomorrow. /Morten ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Trixter http://www.0xdecafbad.com Bret McDanel UK +44 870 340 4605 Germany +49 801 777 555 3402 US +1 360 207 0479 or +1 516 687 5200 FreeWorldDialup: 635378 signature.asc Description: This is a digitally signed message part ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] What does the error stale nonce' mean?
Hi Paul, I'm receiving the following error over and over, adnauseam: Oct 1 23:59:53 NOTICE[3194]: chan_sip.c:5890 check_auth: stale nonce received from 'CNAME-CID sip:[EMAIL PROTECTED]' Does anyone know what stale nonce is? Thanks! This is normally not an error. Digest authentication in SIP is very similar to its use in HTTP. See http://www.ietf.org/rfc/rfc2617.txt . Details for SIP are at http://www.ietf.org/rfc/rfc3261.txt . When your client sends an INVITE or a REGISTER, * will challenge with a pseudo-random nonce (in the 401 or 407 response), and the client will reissue the request with a corresponding digest; the request is then accepted if the digest is correct. If the client needs to reregister or call the same number again, it is permitted to supply the same digest in the new request, usually avoiding the need to send two requests. However, if * decides that the nonce is too old, it will send a new challenge, to make replay attacks more difficult. * includes stale=true in the authenticate request, to tell the client that the password was ok and it can recompute the digest without asking the user to enter new credentials. Does this happen on REGISTER, on INVITE, or both? For all clients, all of the same type, or just one device? How often? Does the client reissue the request, and does it then succeed? --Stewart ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
