Auth parameter disable_nonce_check not working as expected

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Auth parameter disable_nonce_check not working as expected

Robert Dyck

Using opensips 2.3.2 compiled from source

 

I have a buggy UA that insists on reusing a stale nonce. I tried to work around it by setting disable_nonce_check. It didn't work for me. Am I misunderstanding the purpose of the parameter or is this an opensips bug?

 

Jan  8 09:46:19 [11380] DBG:core:set_mod_param_regex: found <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]

Rob


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Auth parameter disable_nonce_check not working as expected

Bogdan-Andrei Iancu-2
Hi Rob,

A "reused" and a "stale" nonce are different things. A reused one means that same nonce is to be used for multiple auth attempts. A stale nonce means the nonce (used or not) is rejected as it is too old (relative to the time when the nonce was generated by the server).

Of course, the stale check is first perform (and mandatory). After that (according to disable_nonce_check option) the nonce re-usage is checked.

Regards,
Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  http://www.opensips-solutions.com
OpenSIPS Summit 2018
  http://www.opensips.org/events/Summit-2018Amsterdam
On 01/08/2018 08:36 PM, Robert Dyck wrote:

Using opensips 2.3.2 compiled from source

 

I have a buggy UA that insists on reusing a stale nonce. I tried to work around it by setting disable_nonce_check. It didn't work for me. Am I misunderstanding the purpose of the parameter or is this an opensips bug?

 

Jan  8 09:46:19 [11380] DBG:core:set_mod_param_regex: found <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]

Rob



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Auth parameter disable_nonce_check not working as expected

Robert Dyck
In reply to this post by Robert Dyck
Let me rephrase. The UA receives a 401 message from opensip. The nonce is
reported as stale. The UA attempts again to register using the same nonce as
previously. On and on. I calculated the digest myself and it is correct for
the stale nonce. My thinking is that if opensips ignored the fact that the
nonce has expired then register should succeed.

On Tuesday, January 9, 2018 6:39:04 AM PST Bogdan-Andrei Iancu wrote:

> Hi Rob,
>
> A "reused" and a "stale" nonce are different things. A reused one means
> that same nonce is to be used for multiple auth attempts. A stale nonce
> means the nonce (used or not) is rejected as it is too old (relative to
> the time when the nonce was generated by the server).
>
> Of course, the stale check is first perform (and mandatory). After that
> (according to disable_nonce_check option) the nonce re-usage is checked.
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>    http://www.opensips-solutions.com
> OpenSIPS Summit 2018
>    http://www.opensips.org/events/Summit-2018Amsterdam
>
> On 01/08/2018 08:36 PM, Robert Dyck wrote:
> > Using opensips 2.3.2 compiled from source
> >
> > I have a buggy UA that insists on reusing a stale nonce. I tried to
> > work around it by setting disable_nonce_check. It didn't work for me.
> > Am I misunderstanding the purpose of the parameter or is this an
> > opensips bug?
> >
> > Jan  8 09:46:19 [11380] DBG:core:set_mod_param_regex: found
> > <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]
> >
> > Rob
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users





_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Auth parameter disable_nonce_check not working as expected

Bogdan-Andrei Iancu-2
Hi Robert,

Yes, it is exactly what I understood :). Again, if the nonce is expired
(too old - see nonce_expire -
http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp185504),
there is no way to force its acceptance. OpenSIPS will reject it as
stale (even if there is correct auth answer).

The disable_nonce_check parameter
(http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp5552944)
is exclusively for nonce re-usage.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   http://www.opensips-solutions.com
OpenSIPS Summit 2018
   http://www.opensips.org/events/Summit-2018Amsterdam

On 01/09/2018 05:53 PM, Robert Dyck wrote:

> Let me rephrase. The UA receives a 401 message from opensip. The nonce is
> reported as stale. The UA attempts again to register using the same nonce as
> previously. On and on. I calculated the digest myself and it is correct for
> the stale nonce. My thinking is that if opensips ignored the fact that the
> nonce has expired then register should succeed.
>
> On Tuesday, January 9, 2018 6:39:04 AM PST Bogdan-Andrei Iancu wrote:
>> Hi Rob,
>>
>> A "reused" and a "stale" nonce are different things. A reused one means
>> that same nonce is to be used for multiple auth attempts. A stale nonce
>> means the nonce (used or not) is rejected as it is too old (relative to
>> the time when the nonce was generated by the server).
>>
>> Of course, the stale check is first perform (and mandatory). After that
>> (according to disable_nonce_check option) the nonce re-usage is checked.
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>     http://www.opensips-solutions.com
>> OpenSIPS Summit 2018
>>     http://www.opensips.org/events/Summit-2018Amsterdam
>>
>> On 01/08/2018 08:36 PM, Robert Dyck wrote:
>>> Using opensips 2.3.2 compiled from source
>>>
>>> I have a buggy UA that insists on reusing a stale nonce. I tried to
>>> work around it by setting disable_nonce_check. It didn't work for me.
>>> Am I misunderstanding the purpose of the parameter or is this an
>>> opensips bug?
>>>
>>> Jan  8 09:46:19 [11380] DBG:core:set_mod_param_regex: found
>>> <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]
>>>
>>> Rob
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [hidden email]
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Auth parameter disable_nonce_check not working as expected

Robert Dyck
In reply to this post by Robert Dyck
I have to accept that I cannot work around the UA's bug. A strange bug that
only manifests itself after an hour or so. The servers say the nonce is stale
when in fact the UA presents a nonce of its own invention even changing the
number of characters in the nonce.

Thank you for your time
Rob

On Wednesday, January 10, 2018 1:14:22 AM PST Bogdan-Andrei Iancu wrote:

> Hi Robert,
>
> Yes, it is exactly what I understood :). Again, if the nonce is expired
> (too old - see nonce_expire -
> http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp185504),
> there is no way to force its acceptance. OpenSIPS will reject it as
> stale (even if there is correct auth answer).
>
> The disable_nonce_check parameter
> (http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp5552944)
> is exclusively for nonce re-usage.
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>    http://www.opensips-solutions.com
> OpenSIPS Summit 2018
>    http://www.opensips.org/events/Summit-2018Amsterdam
>
> On 01/09/2018 05:53 PM, Robert Dyck wrote:
> > Let me rephrase. The UA receives a 401 message from opensip. The nonce is
> > reported as stale. The UA attempts again to register using the same nonce
> > as previously. On and on. I calculated the digest myself and it is
> > correct for the stale nonce. My thinking is that if opensips ignored the
> > fact that the nonce has expired then register should succeed.
> >
> > On Tuesday, January 9, 2018 6:39:04 AM PST Bogdan-Andrei Iancu wrote:
> >> Hi Rob,
> >>
> >> A "reused" and a "stale" nonce are different things. A reused one means
> >> that same nonce is to be used for multiple auth attempts. A stale nonce
> >> means the nonce (used or not) is rejected as it is too old (relative to
> >> the time when the nonce was generated by the server).
> >>
> >> Of course, the stale check is first perform (and mandatory). After that
> >> (according to disable_nonce_check option) the nonce re-usage is checked.
> >>
> >> Regards,
> >>
> >> Bogdan-Andrei Iancu
> >>
> >> OpenSIPS Founder and Developer
> >>
> >>     http://www.opensips-solutions.com
> >>
> >> OpenSIPS Summit 2018
> >>
> >>     http://www.opensips.org/events/Summit-2018Amsterdam
> >>
> >> On 01/08/2018 08:36 PM, Robert Dyck wrote:
> >>> Using opensips 2.3.2 compiled from source
> >>>
> >>> I have a buggy UA that insists on reusing a stale nonce. I tried to
> >>> work around it by setting disable_nonce_check. It didn't work for me.
> >>> Am I misunderstanding the purpose of the parameter or is this an
> >>> opensips bug?
> >>>
> >>> Jan  8 09:46:19 [11380] DBG:core:set_mod_param_regex: found
> >>> <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]
> >>>
> >>> Rob
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> [hidden email]
> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users





_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Auth parameter disable_nonce_check not working as expected

Bogdan-Andrei Iancu-2
oh, so it is even worst, like the UA is generating its own nonce - you
now this a violation of the Digest authentication RFC and a huge
security risk for a SIP server - this is why OpenSIPS rejects expired or
unknown nonces. Otherwise someone can attach your service by simply
re-using credentials collected from network level.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   http://www.opensips-solutions.com
OpenSIPS Summit 2018
   http://www.opensips.org/events/Summit-2018Amsterdam

On 01/11/2018 01:59 AM, Robert Dyck wrote:

> I have to accept that I cannot work around the UA's bug. A strange bug that
> only manifests itself after an hour or so. The servers say the nonce is stale
> when in fact the UA presents a nonce of its own invention even changing the
> number of characters in the nonce.
>
> Thank you for your time
> Rob
>
> On Wednesday, January 10, 2018 1:14:22 AM PST Bogdan-Andrei Iancu wrote:
>> Hi Robert,
>>
>> Yes, it is exactly what I understood :). Again, if the nonce is expired
>> (too old - see nonce_expire -
>> http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp185504),
>> there is no way to force its acceptance. OpenSIPS will reject it as
>> stale (even if there is correct auth answer).
>>
>> The disable_nonce_check parameter
>> (http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp5552944)
>> is exclusively for nonce re-usage.
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>     http://www.opensips-solutions.com
>> OpenSIPS Summit 2018
>>     http://www.opensips.org/events/Summit-2018Amsterdam
>>
>> On 01/09/2018 05:53 PM, Robert Dyck wrote:
>>> Let me rephrase. The UA receives a 401 message from opensip. The nonce is
>>> reported as stale. The UA attempts again to register using the same nonce
>>> as previously. On and on. I calculated the digest myself and it is
>>> correct for the stale nonce. My thinking is that if opensips ignored the
>>> fact that the nonce has expired then register should succeed.
>>>
>>> On Tuesday, January 9, 2018 6:39:04 AM PST Bogdan-Andrei Iancu wrote:
>>>> Hi Rob,
>>>>
>>>> A "reused" and a "stale" nonce are different things. A reused one means
>>>> that same nonce is to be used for multiple auth attempts. A stale nonce
>>>> means the nonce (used or not) is rejected as it is too old (relative to
>>>> the time when the nonce was generated by the server).
>>>>
>>>> Of course, the stale check is first perform (and mandatory). After that
>>>> (according to disable_nonce_check option) the nonce re-usage is checked.
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>>
>>>>      http://www.opensips-solutions.com
>>>>
>>>> OpenSIPS Summit 2018
>>>>
>>>>      http://www.opensips.org/events/Summit-2018Amsterdam
>>>>
>>>> On 01/08/2018 08:36 PM, Robert Dyck wrote:
>>>>> Using opensips 2.3.2 compiled from source
>>>>>
>>>>> I have a buggy UA that insists on reusing a stale nonce. I tried to
>>>>> work around it by setting disable_nonce_check. It didn't work for me.
>>>>> Am I misunderstanding the purpose of the parameter or is this an
>>>>> opensips bug?
>>>>>
>>>>> Jan  8 09:46:19 [11380] DBG:core:set_mod_param_regex: found
>>>>> <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]
>>>>>
>>>>> Rob
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> [hidden email]
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Auth parameter disable_nonce_check not working as expected

Robert Dyck
In reply to this post by Robert Dyck
Agreed.
Initially I thought it was a stale nonce. I captured the messages at the
moment it went from working to not working and compared the nonces.
The developers of Linphone have not responded to a bug report.

Rob

On Thursday, January 11, 2018 2:20:48 AM PST Bogdan-Andrei Iancu wrote:

> oh, so it is even worst, like the UA is generating its own nonce - you
> now this a violation of the Digest authentication RFC and a huge
> security risk for a SIP server - this is why OpenSIPS rejects expired or
> unknown nonces. Otherwise someone can attach your service by simply
> re-using credentials collected from network level.
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>    http://www.opensips-solutions.com
> OpenSIPS Summit 2018
>    http://www.opensips.org/events/Summit-2018Amsterdam
>
> On 01/11/2018 01:59 AM, Robert Dyck wrote:
> > I have to accept that I cannot work around the UA's bug. A strange bug
> > that
> > only manifests itself after an hour or so. The servers say the nonce is
> > stale when in fact the UA presents a nonce of its own invention even
> > changing the number of characters in the nonce.
> >
> > Thank you for your time
> > Rob
> >
> > On Wednesday, January 10, 2018 1:14:22 AM PST Bogdan-Andrei Iancu wrote:
> >> Hi Robert,
> >>
> >> Yes, it is exactly what I understood :). Again, if the nonce is expired
> >> (too old - see nonce_expire -
> >> http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp185504),
> >> there is no way to force its acceptance. OpenSIPS will reject it as
> >> stale (even if there is correct auth answer).
> >>
> >> The disable_nonce_check parameter
> >> (http://www.opensips.org/html/docs/modules/2.3.x/auth.html#idp5552944)
> >> is exclusively for nonce re-usage.
> >>
> >> Regards,
> >>
> >> Bogdan-Andrei Iancu
> >>
> >> OpenSIPS Founder and Developer
> >>
> >>     http://www.opensips-solutions.com
> >>
> >> OpenSIPS Summit 2018
> >>
> >>     http://www.opensips.org/events/Summit-2018Amsterdam
> >>
> >> On 01/09/2018 05:53 PM, Robert Dyck wrote:
> >>> Let me rephrase. The UA receives a 401 message from opensip. The nonce
> >>> is
> >>> reported as stale. The UA attempts again to register using the same
> >>> nonce
> >>> as previously. On and on. I calculated the digest myself and it is
> >>> correct for the stale nonce. My thinking is that if opensips ignored the
> >>> fact that the nonce has expired then register should succeed.
> >>>
> >>> On Tuesday, January 9, 2018 6:39:04 AM PST Bogdan-Andrei Iancu wrote:
> >>>> Hi Rob,
> >>>>
> >>>> A "reused" and a "stale" nonce are different things. A reused one means
> >>>> that same nonce is to be used for multiple auth attempts. A stale nonce
> >>>> means the nonce (used or not) is rejected as it is too old (relative to
> >>>> the time when the nonce was generated by the server).
> >>>>
> >>>> Of course, the stale check is first perform (and mandatory). After that
> >>>> (according to disable_nonce_check option) the nonce re-usage is
> >>>> checked.
> >>>>
> >>>> Regards,
> >>>>
> >>>> Bogdan-Andrei Iancu
> >>>>
> >>>> OpenSIPS Founder and Developer
> >>>>
> >>>>      http://www.opensips-solutions.com
> >>>>
> >>>> OpenSIPS Summit 2018
> >>>>
> >>>>      http://www.opensips.org/events/Summit-2018Amsterdam
> >>>>
> >>>> On 01/08/2018 08:36 PM, Robert Dyck wrote:
> >>>>> Using opensips 2.3.2 compiled from source
> >>>>>
> >>>>> I have a buggy UA that insists on reusing a stale nonce. I tried to
> >>>>> work around it by setting disable_nonce_check. It didn't work for me.
> >>>>> Am I misunderstanding the purpose of the parameter or is this an
> >>>>> opensips bug?
> >>>>>
> >>>>> Jan  8 09:46:19 [11380] DBG:core:set_mod_param_regex: found
> >>>>> <disable_nonce_check> in module auth [/usr/lib64/opensips/modules/]
> >>>>>
> >>>>> Rob
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Users mailing list
> >>>>> [hidden email]
> >>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users





_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users