An update about my previous mail : I've tried to change the "disable_nonce_check" value, and set it to "0". The result is all the same, but there's a difference in the logs.
With *disable_nonce_check* set to *1* : > Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", > nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M ' > Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: > DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03] > and [52c5766c4e6664d7e26e5799601c34086c63cd66] > Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: > DBG:auth:pre_auth: invalid nonce value received > Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", > nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M ' > Jan 2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: > DBG:auth:pre_auth: stale nonce value received > Jan 2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", > nonce="52c576918f68aa904540e6467d5a82697ba4b660", stale=true^M ' and with *disable_nonce_check* set to *0* : > Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: > DBG:auth:pre_auth: invalid nonce value received > Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: > DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1, index= 17 > Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", > nonce="52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e", stale=true^M ' > Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: > DBG:auth:pre_auth: invalid nonce value received > Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: > DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1, index= 18 > Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: > DBG:auth:build_auth_hf: nonce index= 18 > Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", > nonce="52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06", stale=true^M ' It seems that the disable check nonce function doesn't completely disable the nonce checking, as there's still an inspection whatever is the value set. Thanks for your help, Kevin *Bien cordialement, Best Regards, **Kevin MATHY* | Ingénieur VoIP 2014/1/2 Kevin Mathy <[email protected]> > Hi List, > > I'm trying to make the SIP Registering working for my customers with two > Opensips 1.9 servers sharing the same DNS name. > > Here is a schematic : > > /=====> Registrar Server 1 > SIP Phone =====> Access SBC > \=====> Registrar Server 2 > > > I've got the same opensips.cfg on both servers, and here are some > interesting points of the config : > > loadmodule "auth_db.so" >> # ----- auth_db params ----- >> modparam("auth_db", "calculate_ha1", yes) >> modparam("auth_db", "use_domain", no) >> modparam("auth_db", "user_column", "username") >> modparam("auth_db", "password_column", "password") >> modparam("auth_db", "password_column_2", "ha1b") >> modparam("auth_db", >> "db_url","mysql://****************************************** ") >> modparam("auth_db", "load_credentials", "$avp(password)=password") >> >> # ----------------- module auth --------------- >> loadmodule "auth.so" >> # ----- auth params ----- >> modparam("auth","username_spec","$var(username)") >> modparam("auth","password_spec","$avp(password)") >> modparam("auth","calculate_ha1",1) >> *modparam("auth","disable_nonce_check", 1)* > > > > > > if (is_method("REGISTER")) >> { >> xlog("L_INFO","$ci -- New REGISTER received from $si with Contact >> : $ct\n"); >> >> if (!www_authorize("", "subscriber")) >> { >> if ($rc < 0) >> { >> switch ($rc) >> { >> case -5: >> xlog("L_INFO","$ci -- REGISTER Failed because of : >> Generic Error"); >> break; >> case -4: >> xlog("L_INFO","$ci -- REGISTER Failed because of : No >> Credentials"); >> break; >> case -3: >> xlog("L_INFO","$ci -- REGISTER Failed because of : >> Stale nonce"); >> break; >> case -2: >> xlog("L_INFO","$ci -- REGISTER Failed because of : >> Valid User but Wrong Password"); >> break; >> case -1: >> xlog("L_INFO","$ci -- REGISTER Failed because of : >> Invalid User"); >> break; >> } >> } >> www_challenge("", "0"); >> exit; >> } >> >> if (!save("location")) >> { >> xlog("L_INFO","$ci -- error with save_location from $au\n"); >> } >> else >> { >> xlog("L_INFO","$ci -- save_location is OK from $au\n"); >> } >> >> exit; >> } > > > > So, as you can see, I configured the auth module with > "disable_nonce_check" parameter, because of my "loadbalanced" architecture > as it's said in the documentation ( > http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075) . > > But, when a SIP Phone tries to register, the first Register (without any > credentials) is sent to the 1st Registrar. It's answered with a 401 > Unauthorized containing a nonce. > Then, the 2nd Register (with credentials, and the previously given nonce) > is sent to the 2nd Registrar; but it's still answered with a 401. > > Thanks to the return code of www_authorize, I see that it's for the "Stale > Nonce" reason, even if "disable_nonce_check" is set to 1 ... > > Maybe there's a misconfiguration, or a bug; so, I need your help :-) > > Thanks a lot, > > > > *Bien cordialement, Best Regards, **Kevin MATHY* | Ingénieur VoIP > > --
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
