Hi All,
Does anyone have any thoughts on how I can debug this further, I'm
currently stumped as to what steps to take to see why these messages are
failing authentication.
Any suggestions appreciated.
Thanks
On 03/05/18 11:02, Asgaroth wrote:
Hi All,
I am testing a scenario where we have 3 proxies and I'm trying to
ensure that if a messages comes in to 1 proxy, which challenges the
ua, is able to be auth'd successfully on one of the remaining 2
proxies if, for some reason the ua decides to send the response to one
of the remaining two proxies.
I am testing this using a seperate kamailio proxy which loadbalances
messages across the 3 proxies that I am testing with. I have 1 ua
(zoiper) which I tell to subscribe for mwi, the initial subscribe is
sent to proxy 1, which sends a 407 back, the new subscribe with auth,
from the ua, is sent to proxy 2, which deems the nonce as expired and
rechallenges, this continues in a loop across the 3 proxies and never
authenticates.
I think I'm missing something in my settings that I just cannot put my
finger on, and/or, I'm mis-understanding the documentation and how
these settings interact with each other.
My auth module settings are as follows:
#
# - auth params -
#
modparam("auth", "qop", "auth")
modparam("auth", "nonce_count", 1)
modparam("auth", "one_time_nonce", 1)
modparam("auth", "nid_pool_no", 4)
modparam("auth", "nc_array_size", 4194304)
modparam("auth", "otn_in_flight_no", 8388608)
modparam("auth", "auth_checks_no_dlg", 9)
modparam("auth", "auth_checks_in_dlg", 15)
modparam("auth", "auth_checks_register", 11)
modparam("auth", "secret", "secret_32_char_str")
I tried with one_time_nonce enabled and disabled but the result is the
same, continous rechallenge.
The documentation mentions that if nonce_count and one_time_nonce are
enable, and a ua sends a response with nonce and qop in the auth
header then one_time_nonce will not be used, one_time nonce will be
used as a fallback in the case the ua does not support qop.
My auth block in the routing logic looks like so:
route[AUTH_CHECK]{
xlog("L_DBG", "route[AUTH_CHECK] : $rm : Performing authentication
checks for '$var(creds_key)'");
$var(challenge_flags) = 1;
if ( ! pv_auth_check("$fd",
"$sht(creds=>$var(creds_key)::Password)", "20", "1") ) {
switch($retcode) {
case -1:
xlog("L_DBG", "route[AUTH_CHECK] : $rm : Generic error
occurred, no reply sent out.");
break;
case -2:
xlog("L_DBG", "route[AUTH_CHECK] : $rm : Invalid
password supplied, re-challenging client and removing from hash table.");
sht_rm_name_re("creds=>$var(creds_key)");
break;
case -4:
xlog("L_DBG", "route[AUTH_CHECK] : $rm : Nonce has
expired, re-challenging client.");
$var(challenge_flags) = $var(challenge_flags) + 16;
break;
case -5:
xlog("L_DBG", "route[AUTH_CHECK] : $rm : No
credentials supplied, challenging client.");
break;
case -6:
xlog("L_DBG", "route[AUTH_CHECK] : $rm : Nonce has
already been used to auth a previous request, challenging client.");
break;
case -8:
xlog("L_DBG", "route[AUTH_CHECK] : $rm : Auth user is
different to From/To user, challenging client.");
break;
}
xlog("L_INFO", "route[AUTH_CHECK] : $rm : auth_challenge will
be called with '$fd' and '$var(challenge_flags)'");
auth_challenge("$fd", "$var(challenge_flags)");
exit;
}
consume_credentials();
}
When I look at the logs I always see the proxies seeing the nonce as
expired:
oUBGp0n6HRWu_mvPPxJQqg..: INFO: