Hi Daniel, the nonce checking assumes kind of state and does not correctly work if you do not handle properly the retransmissions. For example:
1) you get INVITE with credentials, you successfully authenticate it and you start processing it for forwarding 2) before sending a reply for the first INVITE, you get a retransmission for it -> same credentials, auth fails -> negative reply. so, you end up with an inconsistency -> you did both reply and forward as you differently processed the transmissions due the nonce checking What you can do is to create the transaction state before the authentication (using the t_newtran() ), so that you retransmissions will be absorbed by the transaction engine. Regards, Bogdan Daniel Goepp wrote: > Thanks for the update. I did notice that parameter, but I don't want > to disable it. I guess for now I will just accept the higher load of > authing every register. I also found that I had a device that was not > behaving right either. I will look into this one further. Sorry for > the flood of emails, I was really banging my head the other day on > this one. > > -dg > > > On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu > <[email protected] <mailto:[email protected]>> wrote: > > Hi Daniel, > > it it because the nonce reusage - opensips (by default) uses a > nonce for > a single authentication, after that it reports it as stale. > If you want to disable this behaviour (to enable nonce reusage), > see the > auth param "disable_nonce_check" : > http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317 > > Regards, > Bogdan > > Daniel Goepp wrote: > > Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those > > are really just -4 first, no credentials, then -3 stale nonce > > > > -dg > > > > > > On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > A quick follow up on this, I enabled some logging, but the retcode > > is not making any sense to me (probably because I'm using it wrong). > > > > > > From my config: > > > > > > xlog ("REGISTER $fu"); > > > # authenticate the REGISTER requests (uncomment to > > enable auth) > > > if (!www_authorize("", "subscriber")) > > > { > > > xlog ("Not authorized - challenging, > error: > > $retcode"); > > > www_challenge("", "1"); > > > exit; > > > } > > > > > > Then in the log: > > > > > > Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: > > REGISTER sip:[email protected] <mailto:sip%[email protected]> > <mailto:sip%[email protected] <mailto:sip%[email protected]>> > > > Apr 2 13:49:38 ip-10-160-23-47 > /usr/local/sbin/opensips[30180]: Not > > authorized - challenging, error: 4294967293 > > > Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: > > REGISTER sip:[email protected] <mailto:sip%[email protected]> > <mailto:sip%[email protected] <mailto:sip%[email protected]>> > > > Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: > > REGISTER sip:[email protected] <mailto:sip%[email protected]> > <mailto:sip%[email protected] <mailto:sip%[email protected]>> > > > Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: > > REGISTER sip:[email protected] <mailto:sip%[email protected]> > <mailto:sip%[email protected] <mailto:sip%[email protected]>> > > > Apr 2 13:50:18 ip-10-160-23-47 > /usr/local/sbin/opensips[30182]: Not > > authorized - challenging, error: 4294967292 > > > Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: > > REGISTER sip:[email protected] <mailto:sip%[email protected]> > <mailto:sip%[email protected] <mailto:sip%[email protected]>> > > > Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: > > REGISTER sip:[email protected] <mailto:sip%[email protected]> > <mailto:sip%[email protected] <mailto:sip%[email protected]>> > > > Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: > > REGISTER sip:[email protected] <mailto:sip%[email protected]> > <mailto:sip%[email protected] <mailto:sip%[email protected]>> > > > Apr 2 13:50:58 ip-10-160-23-47 > /usr/local/sbin/opensips[30180]: Not > > authorized - challenging, error: 4294967292 > > > Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: > > REGISTER sip:[email protected] <mailto:sip%[email protected]> > <mailto:sip%[email protected] <mailto:sip%[email protected]>> > > > > > > Also I'm running 1.6.2-tls compiled today from latest 1_6 > branch in SVN. > > > > > > -dg > > > > > > > > > On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > >> > > >> I'm having some trouble with nonce expiring I believe. The > problem > > is that every other one of my endpoint registrations is doing an > auth > > challenge w/401. > > >> > > >> From my config: > > >> modparam("registrar", "default_expires", 60) > > >> modparam("registrar", "min_expires", 60) > > >> modparam("registrar", "max_expires", 60 > > >> > > >> modparam("auth", "nonce_expire", 3600) > > >> > > >> From this I would expect the devices to try to register every 60 > > seconds, and get challenged every hour with a new nonce. > > >> > > >> Comments on why OpenSIPS is challenging every other registration? > > >> > > >> Thanks > > >> > > >> -dg > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > -- > Bogdan-Andrei Iancu > www.voice-system.ro <http://www.voice-system.ro> > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > ------------------------------------------------------------------------ > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Bogdan-Andrei Iancu www.voice-system.ro _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
