Re: [OpenSIPS-Users] Why is OpenSipS sending a 407

Bogdan-Andrei Iancu Wed, 13 Feb 2013 01:15:19 -0800

Hi Dovid,

Not really, as

(1) knowing the nonce is not enough to bypass auth - you need also theresponse token


(2) the nonces have a lifetime (they expire).

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 02/13/2013 02:56 AM, Dovid Bender wrote:

Bogdan,

I had a look at:
http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250176
and I read what it said. Does this mean that anyone that knows my nonce can
make a call and get through to my OpenSipS or is it only an issue if we have
multiple boxes?

Regards,

Dovid


-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:[email protected]]
Sent: Tuesday, February 12, 2013 10:45
To: OpenSIPS users mailling list
Cc: Dovid Bender
Subject: Re: [OpenSIPS-Users] Why is OpenSipS sending a 407

Hi Dovid,

Because by default, the nonce re-usage is turn on in auth module - which
means a nonce can be used for only a single auth processing! and in your
case, same nonce is used in 2 auth cases.

What you can do:

1) make processing in script stateful, so that the second SUBSCRIBE will
be seen as a retransmission and will not hit the auth - use t_newtran()
before the auth part.

2) disable the check for nonce reusage - see
http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250176

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 02/11/2013 09:08 PM, Dovid Bender wrote:

Hi,

Our set up is this:
Client ->   OpenSipS ->   Custom BLF service (on port 5080).

In the DP we have:
                  if ( method == "MESSAGE" || method == "NOTIFY" || method

==

"SUBSCRIBE" || method == "UNSUBSCRIBE" ) {
                          rewritehostport( "127.0.0.1:5080" );
                          route( 2 );
                          exit;

Now we have some kind of issue with our BLF service where there is a delay
on the response from it. This causes the phone to send another SUBSCRIBE.
Here is what happens.

1) Phone (SUBSCRIBE) ->   OpenSips
2) Phone<- (407 with nonce) OpenSIpS
3) Phone (SUBSCRIBE WITH nonce) ->   OpenSips
4) OpenSips ->   Custom BLF service (port 5080)
There is no response and OpenSipS sends it again to port 5080
5) OpenSips ->   Custom BLF service (port 5080)
6) Phone (SUBSCRIBE WITH same nonce as earlier) ->   OpenSips
7) Phone<- (407 with NEW nonce) OpenSIpS
8) OpenSipS<- (100 trying) Custom BLF Service
9) OpenSIpS<- (200 OK) Custom BLF service
10) Phone<- (200 OK) OpenSiPS
It seems that #9 and #10 are a result of #3. My question is why when the
phone sends the subscribe again in #6 does OpenSipS respond with a new

nonce

and not to wait or something else along those lines. Yes I am using a

really

old version 1.4.4.

Please see an ngrep trace below.



U 2013/02/11 12:04:11.011210 67.198.80.143:22413 ->   203.144.218.9:5060
SUBSCRIBE sip:[email protected] SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.102;branch=z9hG4bKbf285746A6088D1F.
From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>.
CSeq: 1 SUBSCRIBE.
Call-ID: [email protected].
Contact:<sip:[email protected]>.
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE,

NOTIFY,

PRACK, UPDATE, REFER.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Accept: application/dialog-info+xml.
Max-Forwards: 70.
Expires: 120.
Content-Length: 0.
.




U 2013/02/11 12:04:11.011693 203.144.218.9:5060 ->   67.198.80.143:22413
SIP/2.0 407 Proxy Authentication Required.
Via: SIP/2.0/UDP

10.0.0.102;branch=z9hG4bKbf285746A6088D1F;rport=22413;received=67.198.80.143

.
From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:

<sip:[email protected]>;tag=3cedc95538ff95eef7f88d49489ad924.2130

.
CSeq: 1 SUBSCRIBE.
Call-ID: [email protected].
Proxy-Authenticate: Digest realm="nyc-02.mydomain.net",
nonce="511924a900005c1ba157752dafbb90e3ea950be45fe6a055".
Server: PBX_MANAGER.
Content-Length: 0.
Warning: 392 203.144.218.9:5060 "Noisy feedback tells:  pid=12565
req_src_ip=67.198.80.143 req_src_port=22413
in_uri=sip:[email protected]
out_uri=sip:[email protected] via_cnt==1".
.




U 2013/02/11 12:04:11.036514 67.198.80.143:22413 ->   203.144.218.9:5060
SUBSCRIBE sip:[email protected] SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.102;branch=z9hG4bKe11f68b965DEA98.
From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>.
CSeq: 2 SUBSCRIBE.
Call-ID: [email protected].
Contact:<sip:[email protected]>.
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE,

NOTIFY,

PRACK, UPDATE, REFER.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Accept: application/dialog-info+xml.
Proxy-Authorization: Digest username="51810401",
realm="nyc-02.mydomain.net",
nonce="511924a900005c1ba157752dafbb90e3ea950be45fe6a055",
uri="sip:[email protected]",
response="579c8a1809c8e4bc1d88c9b070185b11", algorithm=MD5.
Max-Forwards: 70.
Expires: 120.
Content-Length: 0.
.




U 2013/02/11 12:04:11.037479 203.144.218.9:5060 ->   127.0.0.1:5080
SUBSCRIBE sip:[email protected]:5080;transport=udp SIP/2.0.
Record-Route:<sip:203.144.218.9;lr=on;ftag=892B04F3-2D3963A0>.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK315.0ca86cc.0.
Via: SIP/2.0/UDP

10.0.0.102;rport=22413;received=67.198.80.143;branch=z9hG4bKe11f68b965DEA98.

From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>.
CSeq: 2 SUBSCRIBE.
Call-ID: [email protected].
Contact:<sip:[email protected]:22413>.
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE,

NOTIFY,

PRACK, UPDATE, REFER.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Accept: application/dialog-info+xml.
Proxy-Authorization: Digest username="51810401",
realm="nyc-02.mydomain.net",
nonce="511924a900005c1ba157752dafbb90e3ea950be45fe6a055",
uri="sip:[email protected]",
response="579c8a1809c8e4bc1d88c9b070185b11", algorithm=MD5.
Max-Forwards: 69.
Expires: 120.
Content-Length: 0.
X-Enswitch-RURI: sip:[email protected].
X-Enswitch-Source: 67.198.80.143:22413.
.




U 2013/02/11 12:04:11.528263 203.144.218.9:5060 ->   127.0.0.1:5080
SUBSCRIBE sip:[email protected]:5080;transport=udp SIP/2.0.
Record-Route:<sip:203.144.218.9;lr=on;ftag=892B04F3-2D3963A0>.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK315.0ca86cc.0.
Via: SIP/2.0/UDP

10.0.0.102;rport=22413;received=67.198.80.143;branch=z9hG4bKe11f68b965DEA98.

From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>.
CSeq: 2 SUBSCRIBE.
Call-ID: [email protected].
Contact:<sip:[email protected]:22413>.
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE,

NOTIFY,

PRACK, UPDATE, REFER.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Accept: application/dialog-info+xml.
Proxy-Authorization: Digest username="51810401",
realm="nyc-02.mydomain.net",
nonce="511924a900005c1ba157752dafbb90e3ea950be45fe6a055",
uri="sip:[email protected]",
response="579c8a1809c8e4bc1d88c9b070185b11", algorithm=MD5.
Max-Forwards: 69.
Expires: 120.
Content-Length: 0.
X-Enswitch-RURI: sip:[email protected].
X-Enswitch-Source: 67.198.80.143:22413.
.




U 2013/02/11 12:04:11.615394 67.198.80.143:22413 ->   203.144.218.9:5060
SUBSCRIBE sip:[email protected] SIP/2.0.
Via: SIP/2.0/UDP 10.0.0.102;branch=z9hG4bKe11f68b965DEA98.
From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>.
CSeq: 2 SUBSCRIBE.
Call-ID: [email protected].
Contact:<sip:[email protected]>.
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE,

NOTIFY,

PRACK, UPDATE, REFER.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Accept: application/dialog-info+xml.
Proxy-Authorization: Digest username="51810401",
realm="nyc-02.mydomain.net",
nonce="511924a900005c1ba157752dafbb90e3ea950be45fe6a055",
uri="sip:[email protected]",
response="579c8a1809c8e4bc1d88c9b070185b11", algorithm=MD5.
Max-Forwards: 70.
Expires: 120.
Content-Length: 0.
.




U 2013/02/11 12:04:11.615986 203.144.218.9:5060 ->   67.198.80.143:22413
SIP/2.0 407 Proxy Authentication Required.
Via: SIP/2.0/UDP

10.0.0.102;branch=z9hG4bKe11f68b965DEA98;rport=22413;received=67.198.80.143.

From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:

<sip:[email protected]>;tag=3cedc95538ff95eef7f88d49489ad924.aec3

.
CSeq: 2 SUBSCRIBE.
Call-ID: [email protected].
Proxy-Authenticate: Digest realm="nyc-02.mydomain.net",
nonce="511924a900005c69243e513a5c63be6043071b3f968afd87".
Server: PBX_MANAGER.
Content-Length: 0.
Warning: 392 203.144.218.9:5060 "Noisy feedback tells:  pid=12566
req_src_ip=67.198.80.143 req_src_port=22413
in_uri=sip:[email protected]
out_uri=sip:[email protected] via_cnt==1".
.




U 2013/02/11 12:04:11.809258 127.0.0.1:5080 ->   203.144.218.9:5060
SIP/2.0 100 Trying.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK315.0ca86cc.0.
Via: SIP/2.0/UDP

10.0.0.102;rport=22413;received=67.198.80.143;branch=z9hG4bKe11f68b965DEA98.

From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>.
Call-ID: [email protected].
CSeq: 2 SUBSCRIBE.
User-Agent: Enswitch SIP server.
Content-Length: 0.
.

U 2013/02/11 12:04:11.818491 127.0.0.1:5080 ->   203.144.218.9:5060
SIP/2.0 200 OK.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK315.0ca86cc.0.
Via: SIP/2.0/UDP

10.0.0.102;rport=22413;received=67.198.80.143;branch=z9hG4bKe11f68b965DEA98.

From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>;tag=13606022516209.
Call-ID: [email protected].
CSeq: 2 SUBSCRIBE.
Expires: 120.
Contact:<sip:[email protected]>.
User-Agent: Enswitch SIP server.
Content-Length: 0.
.

U 2013/02/11 12:04:11.818654 203.144.218.9:5060 ->   67.198.80.143:22413
SIP/2.0 200 OK.
Via: SIP/2.0/UDP

10.0.0.102;rport=22413;received=67.198.80.143;branch=z9hG4bKe11f68b965DEA98.

From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>;tag=13606022516209.
Call-ID: [email protected].
CSeq: 2 SUBSCRIBE.
Expires: 120.
Contact:<sip:[email protected]>.
User-Agent: Enswitch SIP server.
Content-Length: 0.
.

U 2013/02/11 12:04:11.841756 203.144.218.9:46866 ->   203.144.218.9:5060
NOTIFY sip:[email protected]:5060 SIP/2.0.
Via: SIP/2.0/UDP 127.0.0.1.
From:<sip:[email protected]>;tag=13606022516209.
To:<sip:[email protected]>;tag=892B04F3-2D3963A0.
Contact:<sip:[email protected]>.
Call-ID: [email protected].
CSeq: 480931435 NOTIFY.
User-Agent: Enswitch presence server.
Event: dialog.
Subscription-State: active;expires=119.
Content-Type: application/dialog-info+xml.
Content-Length: 379.
.
<?xml version="1.0" encoding="UTF-8"?>
<dialog-info xmlns="urn:ietf:params:xml:ns:dialog-info" version="0"
state="full" entity="sip:[email protected]">
<dialog id="51810401" direction="recipient">
<state>terminated</state>
<local>
<identity>sip:[email protected]</identity>
</local>
<remote>
<identity></identity>
</remote>
</dialog>
</dialog-info>

U 2013/02/11 12:04:11.842822 203.144.218.9:5060 ->   67.198.80.143:22413
NOTIFY sip:[email protected] SIP/2.0.
Max-Forwards: 10.
Record-Route:<sip:203.144.218.9;lr=on;ftag=13606022516209>.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK0509.b94f1f21.0.
Via: SIP/2.0/UDP 127.0.0.1;rport=46866;received=203.144.218.9.
From:<sip:[email protected]>;tag=13606022516209.
To:<sip:[email protected]>;tag=892B04F3-2D3963A0.
Contact:<sip:[email protected]>.
Call-ID: [email protected].
CSeq: 480931435 NOTIFY.
User-Agent: Enswitch presence server.
Event: dialog.
Subscription-State: active;expires=119.
Content-Type: application/dialog-info+xml.
Content-Length: 379.
X-Enswitch-RURI: sip:[email protected]:5060.
X-Enswitch-Source: 203.144.218.9:46866.
.
<?xml version="1.0" encoding="UTF-8"?>
<dialog-info xmlns="urn:ietf:params:xml:ns:dialog-info" version="0"
state="full" entity="sip:[email protected]">
<dialog id="51810401" direction="recipient">
<state>terminated</state>
<local>
<identity>sip:[email protected]</identity>
</local>
<remote>
<identity></identity>
</remote>
</dialog>
</dialog-info>

U 2013/02/11 12:04:11.865256 67.198.80.143:22413 ->   203.144.218.9:5060
SIP/2.0 481 Call Leg/Transaction Does Not Exist.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK0509.b94f1f21.0.
Via: SIP/2.0/UDP 127.0.0.1;rport=46866;received=203.144.218.9.
From:<sip:[email protected]>;tag=13606022516209.
To:<sip:[email protected]>;tag=892B04F3-2D3963A0.
CSeq: 480931435 NOTIFY.
Call-ID: [email protected].
Record-Route:<sip:203.144.218.9;lr=on;ftag=13606022516209>.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Content-Length: 0.
.

U 2013/02/11 12:04:11.865428 203.144.218.9:5060 ->   203.144.218.9:46866
SIP/2.0 481 Call Leg/Transaction Does Not Exist.
Via: SIP/2.0/UDP 127.0.0.1;rport=46866;received=203.144.218.9.
From:<sip:[email protected]>;tag=13606022516209.
To:<sip:[email protected]>;tag=892B04F3-2D3963A0.
CSeq: 480931435 NOTIFY.
Call-ID: [email protected].
Record-Route:<sip:203.144.218.9;lr=on;ftag=13606022516209>.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Content-Length: 0.
.

U 2013/02/11 12:04:12.271287 127.0.0.1:5080 ->   203.144.218.9:5060
SIP/2.0 100 Trying.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK315.0ca86cc.0.
Via: SIP/2.0/UDP

10.0.0.102;rport=22413;received=67.198.80.143;branch=z9hG4bKe11f68b965DEA98.

From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>.
Call-ID: [email protected].
CSeq: 2 SUBSCRIBE.
User-Agent: Enswitch SIP server.
Content-Length: 0.
.

U 2013/02/11 12:04:12.279134 127.0.0.1:5080 ->   203.144.218.9:5060
SIP/2.0 200 OK.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK315.0ca86cc.0.
Via: SIP/2.0/UDP

10.0.0.102;rport=22413;received=67.198.80.143;branch=z9hG4bKe11f68b965DEA98.

From: "John Doe"<sip:[email protected]>;tag=892B04F3-2D3963A0.
To:<sip:[email protected]>;tag=13606022526514.
Call-ID: [email protected].
CSeq: 2 SUBSCRIBE.
Expires: 120.
Contact:<sip:[email protected]>.
User-Agent: Enswitch SIP server.
Content-Length: 0.
.

U 2013/02/11 12:04:12.299347 203.144.218.9:35600 ->   203.144.218.9:5060
NOTIFY sip:[email protected]:5060 SIP/2.0.
Via: SIP/2.0/UDP 127.0.0.1.
From:<sip:[email protected]>;tag=13606022526514.
To:<sip:[email protected]>;tag=892B04F3-2D3963A0.
Contact:<sip:[email protected]>.
Call-ID: [email protected].
CSeq: 480931448 NOTIFY.
User-Agent: Enswitch presence server.
Event: dialog.
Subscription-State: active;expires=119.
Content-Type: application/dialog-info+xml.
Content-Length: 379.
.
<?xml version="1.0" encoding="UTF-8"?>
<dialog-info xmlns="urn:ietf:params:xml:ns:dialog-info" version="0"
state="full" entity="sip:[email protected]">
<dialog id="51810401" direction="recipient">
<state>terminated</state>
<local>
<identity>sip:[email protected]</identity>
</local>
<remote>
<identity></identity>
</remote>
</dialog>
</dialog-info>

U 2013/02/11 12:04:12.300172 203.144.218.9:5060 ->   67.198.80.143:22413
NOTIFY sip:[email protected] SIP/2.0.
Max-Forwards: 10.
Record-Route:<sip:203.144.218.9;lr=on;ftag=13606022526514>.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK9509.edab2244.0.
Via: SIP/2.0/UDP 127.0.0.1;rport=35600;received=203.144.218.9.
From:<sip:[email protected]>;tag=13606022526514.
To:<sip:[email protected]>;tag=892B04F3-2D3963A0.
Contact:<sip:[email protected]>.
Call-ID: [email protected].
CSeq: 480931448 NOTIFY.
User-Agent: Enswitch presence server.
Event: dialog.
Subscription-State: active;expires=119.
Content-Type: application/dialog-info+xml.
Content-Length: 379.
X-Enswitch-RURI: sip:[email protected]:5060.
X-Enswitch-Source: 203.144.218.9:35600.
.
<?xml version="1.0" encoding="UTF-8"?>
<dialog-info xmlns="urn:ietf:params:xml:ns:dialog-info" version="0"
state="full" entity="sip:[email protected]">
<dialog id="51810401" direction="recipient">
<state>terminated</state>
<local>
<identity>sip:[email protected]</identity>
</local>
<remote>
<identity></identity>
</remote>
</dialog>
</dialog-info>

U 2013/02/11 12:04:12.321247 67.198.80.143:22413 ->   203.144.218.9:5060
SIP/2.0 481 Call Leg/Transaction Does Not Exist.
Via: SIP/2.0/UDP 203.144.218.9;branch=z9hG4bK9509.edab2244.0.
Via: SIP/2.0/UDP 127.0.0.1;rport=35600;received=203.144.218.9.
From:<sip:[email protected]>;tag=13606022526514.
To:<sip:[email protected]>;tag=892B04F3-2D3963A0.
CSeq: 480931448 NOTIFY.
Call-ID: [email protected].
Record-Route:<sip:203.144.218.9;lr=on;ftag=13606022526514>.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Content-Length: 0.
.

U 2013/02/11 12:04:12.321354 203.144.218.9:5060 ->   203.144.218.9:35600
SIP/2.0 481 Call Leg/Transaction Does Not Exist.
Via: SIP/2.0/UDP 127.0.0.1;rport=35600;received=203.144.218.9.
From:<sip:[email protected]>;tag=13606022526514.
To:<sip:[email protected]>;tag=892B04F3-2D3963A0.
CSeq: 480931448 NOTIFY.
Call-ID: [email protected].
Record-Route:<sip:203.144.218.9;lr=on;ftag=13606022526514>.
Event: dialog.
User-Agent: PolycomSoundPointIP-SPIP_550-UA/3.3.3.0069.
Accept-Language: en.
Content-Length: 0.

_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Why is OpenSipS sending a 407

Reply via email to