Hi, I have been debugging an issue with a particularly intermittent fault and wanted to get some clarification.
Just like the subject says, it's a story about a Stateless Registrar, a UAC Retransmitting a Registration, and a Nonce policy. Basically: 1. Client (UAC) sends Register to Server (UAS) 2. UAS Responds with 401 Unauthorised, but includes a WWW-Authentication header with Realm and Nonce 3. Using the Realm, Nonce and user supplied Username and Password a Response is generated and sent to the UAS 4. UAS checks the response and: 4.1 It’ll check the Nonce – and yes it is valid 4.2 It’ll query its database <- let’s presume this takes a second or two 5. UAC then retransmits the packet from step 3 6. UAS finally gets results from the database 6.1 Invalidates the Nonce (can’t be used again) 6.2 Responds with 200 OK 7. UAS receives the Retransmitted Register 7.1 It’ll check the Nonce – it is NOT valid 7.2 Respond with 401 Unauthorised. An example of this created with Net::SIP to reproduce the error is available: http://blog.teambrad.net/wp-content/uploads/2010/10/opensips-registration-nonce-retransmission-example.txt This issue had been discussed before on this list, I don't have the exact conversation, however, the advise seemed to be "make the proxy stateful". Looking at this flow looks relatively normal, step 6.2 results in a 200 OK, but Step 5 was a retransmission. Because the Nonce was invalidated, the retransmitted packet now has an invalid nonce (7.1) and this results in a 401 Unauthorised, with a new nonce (7.2). But the packet in 7.2 does not contain the parameters 'stale="true"' - causing the UAC to assume that the credentials are wrong and it won't re-authenticate. How can I ensure OpenSIPS (oh, I'm using 1.5.3 btw), sets the stale="true" flag ? I am quite new to OpenSIPS in production, so it could very well be my configuration. --- Some relevant snippets of code: --- loadmodule "registrar.so" modparam("registrar", "default_expires", 3600) modparam("registrar", "min_expires", 60) modparam("registrar", "max_expires", 0) modparam("registrar", "path_mode", 1) modparam("registrar", "received_avp", "$avp(i:801)") modparam("registrar","sock_flag",18) modparam("registrar", "sock_hdr_name", "Local-Sock") modparam("registrar", "use_path", 1) loadmodule "db_mysql.so" modparam("db_mysql", "ping_interval", 300) loadmodule "auth.so" modparam("auth", "nonce_expire", 300) modparam("auth", "rpid_suffix", ";party=calling;id-type=subscriber;screen=yes") modparam("auth", "rpid_avp", "$avp(s:rpid)") loadmodule "auth_db.so" modparam("auth_db", "db_url", "mysql://user:p...@db/opensips") modparam("auth_db", "user_column", "username") modparam("auth_db", "domain_column", "domain") modparam("auth_db", "password_column", "password") modparam("auth_db", "password_column_2", "ha1b") modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "use_domain", 0) modparam("auth_db", "load_credentials", "$avp(s:caller_uuid)=uuid") --- if(is_method("REGISTER")) { route(11); } --- route[11] { if(!search("^Contact:[ ]*\*") && nat_uac_test("19")) { fix_nated_register(); setbflag(6); } if(!www_authorize("", "subscriber")) { #xlog("L_INFO", "Register authentication failed - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n"); www_challenge("", "0"); exit; } if(!check_to()) { xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n"); sl_send_reply("403", "Spoofed To-URI Detected"); exit; } consume_credentials(); if(!save("location")) { xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n"); sl_reply_error(); exit; } exit; } -- Bradley Falzon [email protected] _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
