Error in auth module

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Error in auth module

Sergio Gutierrez
Hello to all members.

I am running OpenSIPS 1.5.1 with MySQL authentication and authorization backend; after some minutes of running, I am getting the following error in log:

Jun 10 16:00:55 [25744] DBG:auth:reserve_nonce_index: second= 13, sec_monit= 1,  index= 5
Jun 10 16:00:55 [25744] DBG:auth:build_auth_hf: nonce index= 5
Jun 10 16:00:55 [25744] DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest realm="200.13.225.250", nonce="4a2f928500000005acf87663581a317e2716f2ae64017424"
Jun 10 16:00:55 [25744] DBG:auth:check_nonce: comparing [4a2f928500000005acf87663581a317e2716f2ae64017424] and [4a2f928500000005acf87663581a317e2716f2ae64017424]
Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index= 5
Jun 10 16:00:55 [25744] DBG:auth:check_nonce: comparing [4a2f928500000005acf87663581a317e2716f2ae64017424] and [4a2f928500000005acf87663581a317e2716f2ae64017424]
Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index= 5
Jun 10 16:00:55 [25744] DBG:auth:is_nonce_index_valid: nonce already used
Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index not valid

With this, calls fail as I am checking authorization at INVITE. Register works without any problem.

Any hint on this?

Thanks in advance for your attention.

Regards.


Sergio

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Iñaki Baz Castillo
El Miércoles, 10 de Junio de 2009, Sergio Gutierrez escribió:

> Hello to all members.
>
> I am running OpenSIPS 1.5.1 with MySQL authentication and authorization
> backend; after some minutes of running, I am getting the following error in
> log:
>
> Jun 10 16:00:55 [25744] DBG:auth:reserve_nonce_index: second= 13,
> sec_monit= 1,  index= 5
> Jun 10 16:00:55 [25744] DBG:auth:build_auth_hf: nonce index= 5
> Jun 10 16:00:55 [25744] DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
> realm="200.13.225.250",
> nonce="4a2f928500000005acf87663581a317e2716f2ae64017424"
> Jun 10 16:00:55 [25744] DBG:auth:check_nonce: comparing
> [4a2f928500000005acf87663581a317e2716f2ae64017424] and
> [4a2f928500000005acf87663581a317e2716f2ae64017424]
> Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index= 5
> Jun 10 16:00:55 [25744] DBG:auth:check_nonce: comparing
> [4a2f928500000005acf87663581a317e2716f2ae64017424] and
> [4a2f928500000005acf87663581a317e2716f2ae64017424]
> Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index= 5
> Jun 10 16:00:55 [25744] DBG:auth:is_nonce_index_valid: nonce already used
> Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index not valid
>
> With this, calls fail as I am checking authorization at INVITE. Register
> works without any problem.
>
> Any hint on this?

It means that, even if the digest response is valid, it's has been already
used (most probably by the same UA). This is configurable in OpenSIPS: you can
set OpenSIPS to allow multiple usage of same digest response or not.

Usually, a SIP device sends a request, receives a challenge, generates the
digest response and resends the same requests with credentials.
The next time the device sends a request, it directly adds the previous
credentials. The server can accept it (since it's valid and hasn't yet expires
in the server) or can refuse it by replying 401/407 with a new digest nonce.
Then the UA should generate a new request containing credentials according to
this nonce.

Your UA seems not to do it. Which phone are you using?




--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Sergio Gutierrez
Hello Iñaki.

Thanks for your answer.

I am facing the problem both with Grandstream HT-487 and with Zoiper softphone.

Thanks and regards.

Sergio.

On Wed, Jun 10, 2009 at 4:12 PM, Iñaki Baz Castillo <[hidden email]> wrote:
El Miércoles, 10 de Junio de 2009, Sergio Gutierrez escribió:
> Hello to all members.
>
> I am running OpenSIPS 1.5.1 with MySQL authentication and authorization
> backend; after some minutes of running, I am getting the following error in
> log:
>
> Jun 10 16:00:55 [25744] DBG:auth:reserve_nonce_index: second= 13,
> sec_monit= 1,  index= 5
> Jun 10 16:00:55 [25744] DBG:auth:build_auth_hf: nonce index= 5
> Jun 10 16:00:55 [25744] DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
> realm="200.13.225.250",
> nonce="4a2f928500000005acf87663581a317e2716f2ae64017424"
> Jun 10 16:00:55 [25744] DBG:auth:check_nonce: comparing
> [4a2f928500000005acf87663581a317e2716f2ae64017424] and
> [4a2f928500000005acf87663581a317e2716f2ae64017424]
> Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index= 5
> Jun 10 16:00:55 [25744] DBG:auth:check_nonce: comparing
> [4a2f928500000005acf87663581a317e2716f2ae64017424] and
> [4a2f928500000005acf87663581a317e2716f2ae64017424]
> Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index= 5
> Jun 10 16:00:55 [25744] DBG:auth:is_nonce_index_valid: nonce already used
> Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index not valid
>
> With this, calls fail as I am checking authorization at INVITE. Register
> works without any problem.
>
> Any hint on this?

It means that, even if the digest response is valid, it's has been already
used (most probably by the same UA). This is configurable in OpenSIPS: you can
set OpenSIPS to allow multiple usage of same digest response or not.

Usually, a SIP device sends a request, receives a challenge, generates the
digest response and resends the same requests with credentials.
The next time the device sends a request, it directly adds the previous
credentials. The server can accept it (since it's valid and hasn't yet expires
in the server) or can refuse it by replying 401/407 with a new digest nonce.
Then the UA should generate a new request containing credentials according to
this nonce.

Your UA seems not to do it. Which phone are you using?




--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Sergio Gutiérrez

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Iñaki Baz Castillo
El Miércoles, 10 de Junio de 2009, Sergio Gutierrez escribió:
> Hello Iñaki.
>
> Thanks for your answer.
>
> I am facing the problem both with Grandstream HT-487 and with Zoiper
> softphone.

Try Twinkle or any Linksys SPA9XX, they won't fail :)

--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Sergio Gutierrez
Thanks for your suggestion Iñaki.

I will try with those;

Anyway, this behaviour is very strange, and I did not face it with previous versions of OpenSIPS.

Thanks again.

Regards.

Sergio

On Wed, Jun 10, 2009 at 4:19 PM, Iñaki Baz Castillo <[hidden email]> wrote:
El Miércoles, 10 de Junio de 2009, Sergio Gutierrez escribió:
> Hello Iñaki.
>
> Thanks for your answer.
>
> I am facing the problem both with Grandstream HT-487 and with Zoiper
> softphone.

Try Twinkle or any Linksys SPA9XX, they won't fail :)

--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Sergio Gutiérrez

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Saúl Ibarra Corretgé-2
On Wed, Jun 10, 2009 at 11:26 PM, Sergio Gutierrez<[hidden email]> wrote:
> Thanks for your suggestion Iñaki.
>
> I will try with those;
>
> Anyway, this behaviour is very strange, and I did not face it with previous
> versions of OpenSIPS.
>

You can activate the nonce reuse [1], but AFAIK it's not recommended
for security reasons.

[1]: http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228317


--
Saúl -- "Nunca subestimes el ancho de banda de un camión lleno de disketes."
----------------------------------------------------------------
http://www.saghul.net/

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Iñaki Baz Castillo
In reply to this post by Sergio Gutierrez
El Miércoles, 10 de Junio de 2009, Sergio Gutierrez escribió:
> Thanks for your suggestion Iñaki.
>
> I will try with those;
>
> Anyway, this behaviour is very strange, and I did not face it with previous
> versions of OpenSIPS.

I'm not sure if previous versions allowed reused digest responses.


--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Bogdan-Andrei Iancu
Iñaki Baz Castillo wrote:

> El Miércoles, 10 de Junio de 2009, Sergio Gutierrez escribió:
>  
>> Thanks for your suggestion Iñaki.
>>
>> I will try with those;
>>
>> Anyway, this behaviour is very strange, and I did not face it with previous
>> versions of OpenSIPS.
>>    
>
> I'm not sure if previous versions allowed reused digest responses.
>  
this check was added starting with 1.4

Regards,
Bogdan


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Bogdan-Andrei Iancu
In reply to this post by Sergio Gutierrez
Hi Iñaki,

have you check with ngrep if the second REGISTER (with the same nonce)
is by chance a retransmission of the first one ? maybe everuthing is ok,
you just have retransmissions and they generated the nonce re-used problem.

Regards,
Bogdan

Sergio Gutierrez wrote:

> Hello Iñaki.
>
> Thanks for your answer.
>
> I am facing the problem both with Grandstream HT-487 and with Zoiper
> softphone.
>
> Thanks and regards.
>
> Sergio.
>
> On Wed, Jun 10, 2009 at 4:12 PM, Iñaki Baz Castillo <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     El Miércoles, 10 de Junio de 2009, Sergio Gutierrez escribió:
>     > Hello to all members.
>     >
>     > I am running OpenSIPS 1.5.1 with MySQL authentication and
>     authorization
>     > backend; after some minutes of running, I am getting the
>     following error in
>     > log:
>     >
>     > Jun 10 16:00:55 [25744] DBG:auth:reserve_nonce_index: second= 13,
>     > sec_monit= 1,  index= 5
>     > Jun 10 16:00:55 [25744] DBG:auth:build_auth_hf: nonce index= 5
>     > Jun 10 16:00:55 [25744] DBG:auth:build_auth_hf:
>     'Proxy-Authenticate: Digest
>     > realm="200.13.225.250",
>     > nonce="4a2f928500000005acf87663581a317e2716f2ae64017424"
>     > Jun 10 16:00:55 [25744] DBG:auth:check_nonce: comparing
>     > [4a2f928500000005acf87663581a317e2716f2ae64017424] and
>     > [4a2f928500000005acf87663581a317e2716f2ae64017424]
>     > Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index= 5
>     > Jun 10 16:00:55 [25744] DBG:auth:check_nonce: comparing
>     > [4a2f928500000005acf87663581a317e2716f2ae64017424] and
>     > [4a2f928500000005acf87663581a317e2716f2ae64017424]
>     > Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index= 5
>     > Jun 10 16:00:55 [25744] DBG:auth:is_nonce_index_valid: nonce
>     already used
>     > Jun 10 16:00:55 [25744] DBG:auth:post_auth: nonce index not valid
>     >
>     > With this, calls fail as I am checking authorization at INVITE.
>     Register
>     > works without any problem.
>     >
>     > Any hint on this?
>
>     It means that, even if the digest response is valid, it's has been
>     already
>     used (most probably by the same UA). This is configurable in
>     OpenSIPS: you can
>     set OpenSIPS to allow multiple usage of same digest response or not.
>
>     Usually, a SIP device sends a request, receives a challenge,
>     generates the
>     digest response and resends the same requests with credentials.
>     The next time the device sends a request, it directly adds the
>     previous
>     credentials. The server can accept it (since it's valid and hasn't
>     yet expires
>     in the server) or can refuse it by replying 401/407 with a new
>     digest nonce.
>     Then the UA should generate a new request containing credentials
>     according to
>     this nonce.
>
>     Your UA seems not to do it. Which phone are you using?
>
>
>
>
>     --
>     Iñaki Baz Castillo <[hidden email] <mailto:[hidden email]>>
>
>     _______________________________________________
>     Users mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
>
> --
> Sergio Gutiérrez
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Iñaki Baz Castillo
El Jueves, 11 de Junio de 2009, Bogdan-Andrei Iancu escribió:
> Hi Iñaki,
>
> have you check with ngrep if the second REGISTER (with the same nonce)
> is by chance a retransmission of the first one ? maybe everuthing is ok,
> you just have retransmissions and they generated the nonce re-used problem.

Hi Bogdan, I've not this issue, Sergio does. :)

--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Error in auth module

Bogdan-Andrei Iancu
Iñaki Baz Castillo wrote:

> El Jueves, 11 de Junio de 2009, Bogdan-Andrei Iancu escribió:
>  
>> Hi Iñaki,
>>
>> have you check with ngrep if the second REGISTER (with the same nonce)
>> is by chance a retransmission of the first one ? maybe everuthing is ok,
>> you just have retransmissions and they generated the nonce re-used problem.
>>    
>
> Hi Bogdan, I've not this issue, Sergio does. :)
>  

Right :D....my bad...:)  I mixed a bit the thread.

Bogdan


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users