Theoretically i agree that disable_nonce_check should take care of stale nonce problem, but in practice (using opensips 1.8.x), i observed that reducing nonce_expire actually works. So set nonce_expire to about 5 seconds and try again.
Also make sure to, 1. use same db backend for both opensips servers. 2. use reasonable DNS expiry, e.g. at least 300 seconds. I recommend enforcing registration expiry just under DNS expiry (typically DNS expiry - 5 seconds), so user re-registers with same server it started up with. Whether it works or not, you should open a ticket in bug tracker so this behavior is corrected. Thank you. On Thu, Jan 2, 2014 at 4:08 PM, Kevin Mathy <[email protected]> wrote: > An update about my previous mail : > > I've tried to change the "disable_nonce_check" value, and set it to "0". > The result is all the same, but there's a difference in the logs. > > With *disable_nonce_check* set to *1* : > >> Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]: >> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", >> nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M ' >> Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: >> DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03] >> and [52c5766c4e6664d7e26e5799601c34086c63cd66] >> Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: >> DBG:auth:pre_auth: invalid nonce value received >> Jan 2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: >> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", >> nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M ' >> Jan 2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: >> DBG:auth:pre_auth: stale nonce value received >> Jan 2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: >> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", >> nonce="52c576918f68aa904540e6467d5a82697ba4b660", stale=true^M ' > > > > and with *disable_nonce_check* set to *0* : > >> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: >> DBG:auth:pre_auth: invalid nonce value received >> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: >> DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1, index= 17 >> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: >> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", >> nonce="52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e", stale=true^M ' >> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: >> DBG:auth:pre_auth: invalid nonce value received >> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: >> DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1, index= 18 >> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: >> DBG:auth:build_auth_hf: nonce index= 18 >> Jan 2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: >> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", >> nonce="52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06", stale=true^M ' > > > > It seems that the disable check nonce function doesn't completely disable > the nonce checking, as there's still an inspection whatever is the value > set. > > Thanks for your help, > > Kevin > > > > *Bien cordialement, Best Regards, **Kevin MATHY* | Ingénieur VoIP > > > > 2014/1/2 Kevin Mathy <[email protected]> > >> Hi List, >> >> I'm trying to make the SIP Registering working for my customers with two >> Opensips 1.9 servers sharing the same DNS name. >> >> Here is a schematic : >> >> /=====> Registrar Server 1 >> SIP Phone =====> Access SBC >> \=====> Registrar Server 2 >> >> >> I've got the same opensips.cfg on both servers, and here are some >> interesting points of the config : >> >> loadmodule "auth_db.so" >>> # ----- auth_db params ----- >>> modparam("auth_db", "calculate_ha1", yes) >>> modparam("auth_db", "use_domain", no) >>> modparam("auth_db", "user_column", "username") >>> modparam("auth_db", "password_column", "password") >>> modparam("auth_db", "password_column_2", "ha1b") >>> modparam("auth_db", >>> "db_url","mysql://****************************************** ") >>> modparam("auth_db", "load_credentials", "$avp(password)=password") >>> >>> # ----------------- module auth --------------- >>> loadmodule "auth.so" >>> # ----- auth params ----- >>> modparam("auth","username_spec","$var(username)") >>> modparam("auth","password_spec","$avp(password)") >>> modparam("auth","calculate_ha1",1) >>> *modparam("auth","disable_nonce_check", 1)* >> >> >> >> >> >> if (is_method("REGISTER")) >>> { >>> xlog("L_INFO","$ci -- New REGISTER received from $si with >>> Contact : $ct\n"); >>> >>> if (!www_authorize("", "subscriber")) >>> { >>> if ($rc < 0) >>> { >>> switch ($rc) >>> { >>> case -5: >>> xlog("L_INFO","$ci -- REGISTER Failed because of : >>> Generic Error"); >>> break; >>> case -4: >>> xlog("L_INFO","$ci -- REGISTER Failed because of : >>> No Credentials"); >>> break; >>> case -3: >>> xlog("L_INFO","$ci -- REGISTER Failed because of : >>> Stale nonce"); >>> break; >>> case -2: >>> xlog("L_INFO","$ci -- REGISTER Failed because of : >>> Valid User but Wrong Password"); >>> break; >>> case -1: >>> xlog("L_INFO","$ci -- REGISTER Failed because of : >>> Invalid User"); >>> break; >>> } >>> } >>> www_challenge("", "0"); >>> exit; >>> } >>> >>> if (!save("location")) >>> { >>> xlog("L_INFO","$ci -- error with save_location from $au\n"); >>> } >>> else >>> { >>> xlog("L_INFO","$ci -- save_location is OK from $au\n"); >>> } >>> >>> exit; >>> } >> >> >> >> So, as you can see, I configured the auth module with >> "disable_nonce_check" parameter, because of my "loadbalanced" architecture >> as it's said in the documentation ( >> http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075) . >> >> But, when a SIP Phone tries to register, the first Register (without any >> credentials) is sent to the 1st Registrar. It's answered with a 401 >> Unauthorized containing a nonce. >> Then, the 2nd Register (with credentials, and the previously given nonce) >> is sent to the 2nd Registrar; but it's still answered with a 401. >> >> Thanks to the return code of www_authorize, I see that it's for the >> "Stale Nonce" reason, even if "disable_nonce_check" is set to 1 ... >> >> Maybe there's a misconfiguration, or a bug; so, I need your help :-) >> >> Thanks a lot, >> >> >> >> *Bien cordialement, Best Regards, **Kevin MATHY* | Ingénieur VoIP >> >> > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- Mit freundlichen Grüßen Muhammad Shahzad ----------------------------------- CISCO Rich Media Communication Specialist (CRMCS) CISCO Certified Network Associate (CCNA) Cell: +49 176 99 83 10 85 MSN: [email protected] Email: [email protected]
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
