Problem with nonce (probably due to configuration)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with nonce (probably due to configuration)

Joan-2-2
I'm having a problem in a new setup, I have been looking at it for
some time, but I cannot find the real reason that it is failing.
Basically I can only call for the first few calls after restarting
opensips. After that I cannot call anymore.
Tracing the problem I found that it seems to be a problem with the
generation of the nonces.

The relevant part is that I see

I posted the output of cat /var/log/syslog | grep nonce in the
pastebin: http://pastebin.com/m4344e16a

For the first entries, the nonces are generated appropiately ....

Jun  5 11:16:09 pulse DBG:auth:reserve_nonce_index: second= 4,
sec_monit= -1,  index= 0
Jun  5 11:16:09 pulse DBG:auth:build_auth_hf: nonce index= 0
Jun  5 11:16:09 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
Digest realm="example.com",
nonce="4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb"^M '
Jun  5 11:16:09 pulse DBG:auth:check_nonce: comparing
[4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb] and
[4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb]
Jun  5 11:16:09 pulse DBG:auth:post_auth: nonce index= 0
Jun  5 11:16:09 pulse DBG:auth:check_nonce: comparing
[4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb] and
[4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb]
Jun  5 11:16:09 pulse DBG:auth:post_auth: nonce index= 0
Jun  5 11:16:14 pulse DBG:auth:reserve_nonce_index: second= 8,
sec_monit= -1,  index= 1
Jun  5 11:16:14 pulse DBG:auth:build_auth_hf: nonce index= 1
Jun  5 11:16:14 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
Digest realm="example.com",
nonce="4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd"^M '
Jun  5 11:16:14 pulse DBG:auth:check_nonce: comparing
[4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd] and
[4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd]
Jun  5 11:16:14 pulse DBG:auth:post_auth: nonce index= 1
Jun  5 11:16:14 pulse DBG:auth:check_nonce: comparing
[4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd] and
[4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd]
Jun  5 11:16:14 pulse DBG:auth:post_auth: nonce index= 1

After a while, with no apparent reason, nonces start to collide:

Jun  5 11:16:39 pulse DBG:auth:reserve_nonce_index: second= 3,
sec_monit= -1,  index= 7
Jun  5 11:16:39 pulse DBG:auth:build_auth_hf: nonce index= 7
Jun  5 11:16:39 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
Digest realm="example.com",
nonce="4a28e29500000007fb204a1185fed36378ef6868f672ae6e"^M '
Jun  5 11:16:39 pulse DBG:auth:check_nonce: comparing
[4a28e29500000007fb204a1185fed36378ef6868f672ae6e] and
[4a28e29500000007fb204a1185fed36378ef6868f672ae6e]
Jun  5 11:16:39 pulse DBG:auth:post_auth: nonce index= 7
Jun  5 11:16:39 pulse DBG:auth:check_nonce: comparing
[4a28e29500000007fb204a1185fed36378ef6868f672ae6e] and
[4a28e29500000007fb204a1185fed36378ef6868f672ae6e]
Jun  5 11:16:39 pulse DBG:auth:post_auth: nonce index= 7
Jun  5 11:16:42 pulse DBG:auth:reserve_nonce_index: second= 6,
sec_monit= 0,  index= 8
Jun  5 11:16:42 pulse DBG:auth:build_auth_hf: nonce index= 8
Jun  5 11:16:42 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
Digest realm="example.com",
nonce="4a28e29800000008d0eb660696e699d4481e16bc773771d2"^M '
Jun  5 11:16:43 pulse DBG:auth:check_nonce: comparing
[4a28e29800000008d0eb660696e699d4481e16bc773771d2] and
[4a28e29800000008d0eb660696e699d4481e16bc773771d2]
Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index= 8
Jun  5 11:16:43 pulse DBG:auth:check_nonce: comparing
[4a28e29800000008d0eb660696e699d4481e16bc773771d2] and
[4a28e29800000008d0eb660696e699d4481e16bc773771d2]
Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index= 8
Jun  5 11:16:43 pulse DBG:auth:is_nonce_index_valid: nonce already used
Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index not valid


At the moment, there's only one single client connected, and I'm only
doing missed calls (I don't pick up the phone).
I found also that if I turn off the nonce checking, everything goes
fine, but I'm not confident about living it this way.

Any tracks I can follow? I don't know if it would be a problem with
the proxy_authorize or with the termination of the previous call?

Thanks a lot!

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with nonce (probably due to configuration)

Bogdan-Andrei Iancu
Hi Joan,

The cause is:

Jun  5 11:16:43 pulse DBG:auth:is_nonce_index_valid: nonce already used
Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index not valid

It seams that your phone have a problem with authentication and keeps
re-using an old nonce that is rejected by opensips.

You have 2 options:
   1) disable the nonce reusage check (less secure) by
http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228317:
             modparam("auth", "disable_nonce_check", 1)

    2)  post a trace of the whole REgiSTER sequence to see what is the
problem with the phone you are using.

Regards,
Bogdan


Joan wrote:

> I'm having a problem in a new setup, I have been looking at it for
> some time, but I cannot find the real reason that it is failing.
> Basically I can only call for the first few calls after restarting
> opensips. After that I cannot call anymore.
> Tracing the problem I found that it seems to be a problem with the
> generation of the nonces.
>
> The relevant part is that I see
>
> I posted the output of cat /var/log/syslog | grep nonce in the
> pastebin: http://pastebin.com/m4344e16a
>
> For the first entries, the nonces are generated appropiately ....
>
> Jun  5 11:16:09 pulse DBG:auth:reserve_nonce_index: second= 4,
> sec_monit= -1,  index= 0
> Jun  5 11:16:09 pulse DBG:auth:build_auth_hf: nonce index= 0
> Jun  5 11:16:09 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
> Digest realm="example.com",
> nonce="4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb"^M '
> Jun  5 11:16:09 pulse DBG:auth:check_nonce: comparing
> [4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb] and
> [4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb]
> Jun  5 11:16:09 pulse DBG:auth:post_auth: nonce index= 0
> Jun  5 11:16:09 pulse DBG:auth:check_nonce: comparing
> [4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb] and
> [4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb]
> Jun  5 11:16:09 pulse DBG:auth:post_auth: nonce index= 0
> Jun  5 11:16:14 pulse DBG:auth:reserve_nonce_index: second= 8,
> sec_monit= -1,  index= 1
> Jun  5 11:16:14 pulse DBG:auth:build_auth_hf: nonce index= 1
> Jun  5 11:16:14 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
> Digest realm="example.com",
> nonce="4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd"^M '
> Jun  5 11:16:14 pulse DBG:auth:check_nonce: comparing
> [4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd] and
> [4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd]
> Jun  5 11:16:14 pulse DBG:auth:post_auth: nonce index= 1
> Jun  5 11:16:14 pulse DBG:auth:check_nonce: comparing
> [4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd] and
> [4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd]
> Jun  5 11:16:14 pulse DBG:auth:post_auth: nonce index= 1
>
> After a while, with no apparent reason, nonces start to collide:
>
> Jun  5 11:16:39 pulse DBG:auth:reserve_nonce_index: second= 3,
> sec_monit= -1,  index= 7
> Jun  5 11:16:39 pulse DBG:auth:build_auth_hf: nonce index= 7
> Jun  5 11:16:39 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
> Digest realm="example.com",
> nonce="4a28e29500000007fb204a1185fed36378ef6868f672ae6e"^M '
> Jun  5 11:16:39 pulse DBG:auth:check_nonce: comparing
> [4a28e29500000007fb204a1185fed36378ef6868f672ae6e] and
> [4a28e29500000007fb204a1185fed36378ef6868f672ae6e]
> Jun  5 11:16:39 pulse DBG:auth:post_auth: nonce index= 7
> Jun  5 11:16:39 pulse DBG:auth:check_nonce: comparing
> [4a28e29500000007fb204a1185fed36378ef6868f672ae6e] and
> [4a28e29500000007fb204a1185fed36378ef6868f672ae6e]
> Jun  5 11:16:39 pulse DBG:auth:post_auth: nonce index= 7
> Jun  5 11:16:42 pulse DBG:auth:reserve_nonce_index: second= 6,
> sec_monit= 0,  index= 8
> Jun  5 11:16:42 pulse DBG:auth:build_auth_hf: nonce index= 8
> Jun  5 11:16:42 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
> Digest realm="example.com",
> nonce="4a28e29800000008d0eb660696e699d4481e16bc773771d2"^M '
> Jun  5 11:16:43 pulse DBG:auth:check_nonce: comparing
> [4a28e29800000008d0eb660696e699d4481e16bc773771d2] and
> [4a28e29800000008d0eb660696e699d4481e16bc773771d2]
> Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index= 8
> Jun  5 11:16:43 pulse DBG:auth:check_nonce: comparing
> [4a28e29800000008d0eb660696e699d4481e16bc773771d2] and
> [4a28e29800000008d0eb660696e699d4481e16bc773771d2]
> Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index= 8
> Jun  5 11:16:43 pulse DBG:auth:is_nonce_index_valid: nonce already used
> Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index not valid
>
>
> At the moment, there's only one single client connected, and I'm only
> doing missed calls (I don't pick up the phone).
> I found also that if I turn off the nonce checking, everything goes
> fine, but I'm not confident about living it this way.
>
> Any tracks I can follow? I don't know if it would be a problem with
> the proxy_authorize or with the termination of the previous call?
>
> Thanks a lot!
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users