[OpenSIPS-Users] proxy_authorize("","subscriber") bug ??

Pasan Meemaduma pasandev at ymail.com
Tue Jul 13 06:30:36 CEST 2010 

Hi All,

Looks like modparam("auth", "disable_nonce_check", 1) has fixed my problem

Just want to know if I disable nonce check will it affect www_authorize("", 
"subscriber")

I have put following in my config


How can I stop nonce check for REGISTER requests ?

route[2]
{
       # authorize registration
       if(!www_authorize("", "subscriber")) {
               # xlog("L_INFO", "Register authentication failed - M=$rm RURI=$ru 
F=$fu T=$tu IP=$si ID=$ci\n");
                $var(reason) = $retcode;
                if($var(reason) == -3){
                       xlog("L_INFO", "Register authentication failed (stale 
nonce)- M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
                      # I can see this in syslog        ???? Is  
modparam("auth", "disable_nonce_check", 1) doesn't affect www_authorize("", 
"subscriber") ??

                }
                www_challenge("", "0");
                exit;
       }

       # prevent spoofed registration attempts
       if(!check_to()){                   # Changed on 2010-06-15
#               #xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru F=$fu 
T=$tu IP=$si ID=$ci\n");
               sl_send_reply("403", "Spoofed To-URI detected");
               exit;
       }

       # remove credentials
       consume_credentials();

       # perform NAT traversal for subsequent requests
       if(!search("^Contact:[ ]*\*") && nat_uac_test("19")) {
               fix_nated_register();
               setbflag(2); # flag for NAT
               setbflag(8); # flag for NAT PING using SIP OPTION request        
Fixed on 31/05/2010
       }

       # save contact
       if(!save("location")) {
               # xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru F=$fu 
T=$tu IP=$si ID=$ci\n");
               sl_reply_error();
               exit;
       }

       #xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu T=$tu 
IP=$si ID=$ci\n");
       exit;
}

thanks




________________________________
From: Pasan Meemaduma <pasandev at ymail.com>
To: OpenSIPS users mailling list <users at lists.opensips.org>
Sent: Monday, July 12, 2010 16:46:26
Subject: Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??


Hi Bogdan,

Thanks for the quick reply,

What I now suspect is the security mechanism for stale nonces introduced in 
later 1.4 causing this. The identical configuration works fine with opensips 1.4

This problem started to appear after I upgrade server from openser to opensips 
about a month ago. 


Loosing registration is the most worst problem since its affecting incoming 
calls.

For the moment what I did was add the following in my opensips.cfg after going 
through the mailing list archives.



modparam("auth", "disable_nonce_check", 1)

As I understood opensips reject nonce which is used before even if it send with 
correct credentials. This could be the problem  that Re-INVITEs get 407 .

I can't do much changes to observe more debuging information like setting set 
debug =6  as this is a production server.

I'm going to apply the new setting modparam("auth", "disable_nonce_check", 1) 
tomorrow on our offpeak time and see whether it will resolve the problem.

I'll get back to here tomorrow with the results.





________________________________
From: Bogdan-Andrei Iancu <bogdan at voice-system.ro>
To: OpenSIPS users mailling list <users at lists.opensips.org>
Sent: Monday, July 12, 2010 15:46:18
Subject: Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??

Hi Pasan,

first,  for non-REGISTER requests use only the proxy_XXXX() functions.

For debugging the failure, try:

1) print the return code of the proxy_authorize() (use $retcode) - see 
http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340

2) set debug =6 and post the log corresponding to the INVITE processing .

Regards,
Bogdan

Pasan Meemaduma wrote:
> Hi All,
>
> I'm having trouble with my authentication routine with opensips 1.5
>
> I'm currently using opensips 1.5.3-1
>
> And there are lot of voip equipments using this production server.
>
> problem is  that sometimes for some sip clients 
> proxy_authorize("","subscriber") returns false even with correct 
> credentials.
>
> basically most of the times this happens to Re-INVITEs in a  dialogue 
> (messages with Proxy-Authorization Header).
>
> This is causing in progress calls being failed. sip client gives up 
> when it changes again.
>
> And another problem is with www_authorize("", "subscriber")
>
> It has the same problem returns false even with correct credentials. 
> and this happens randomly so , its hard to figure out why .
>
> does any one else having problem with simillar issues with using these 
> routines ?
>
> Is it a bug in these routines ?
>
> Is there a new release for 1.5 branch which has fixed this sort of a 
> problem.
>
> any help on this would be very appreciated.
>
> currently server has more than 8000 entries in location table at any 
> given time and handles more than 3000 calls per day.
>
> following is one such sip trace that i got from a call
>
>
>  Even the re- INVITE has correct Proxy-Authorization header present 
> opensips change it again.
>
> U 2010/06/24 16:03:40.466974 y.y.y.y:5060 -> x.x.x.x:5060
> INVITE sip:1234567890 at x.x.x.x SIP/2.0.
> To:  <sip:1234567890 at x.x.x.x>.
> From: "abcdefgh" <sip:abcdefgh at x.x.x.x>;tag=252070.
> Call-ID: 444603gj at 192.168.1.20.
> CSeq: 5 INVITE.
> Via: SIP/2.0/UDP 192.168.1.20:5060;branch=z9hG4bK155910d13;rport.
> Allow: ACK,BYE,CANCEL,INVITE,INFO,NOTIFY,OPTIONS,PRACK,REFER,UPDATE.
> Contact: <sip:abcdefgh at 192.168.1.20:5060>.
> Supported: replaces,precondition.
> Accept: application/sdp,application/cpim-pidf+xml.
> Expires:  240.
> User-Agent: BiPAC 7404VGPX 5.53.s6.b1.
> Accept-Language: en.
> Content-Type: application/sdp.
> Content-Length: 306.
> Content-Language: en.
> Content-Disposition: session.
> Max-Forwards: 70.
> Proxy-Authorization: Digest 
>username="abcdefgh",realm="x.x.x.x",nonce="4c22f542000042ba42dd84f4cd197a73f815b9c34124752c",uri="sip:1234567890 at x.x.x.x",response="32f7b1dfebfa87b20d1efe0e47019b81".
>.
> .
> v=0.
> o=abcdefgh 862 862 IN IP4 192.168.1.20.
> s=-.
> c=IN IP4 192.168.1.20.
> t=0 0.
> m=audio 5100 RTP/AVP 18 0 8 101.
> a=rtpmap:18 G729/8000.
> a=rtpmap:0 PCMU/8000.
> a=rtpmap:8 PCMA/8000.
> a=rtpmap:101 telephone-event/8000.
> a=fmtp:101 0-15,66,70.
> a=curr:qos e2e send.
> a=des:qos optional e2e sendrecv.
>  a=sendrecv.
>
>
> U 2010/06/24 16:03:40.468557 x.x.x.x:5060 -> y.y.y.y:5060
> SIP/2.0 407 Proxy Authentication Required.
> To:  <sip:1234567890 at x.x.x.x>;tag=a1270bde159848b15079f3c250cc0b75.56af.
> From: "abcdefgh" <sip:abcdefgh at x.x.x.x>;tag=252070.
> Call-ID: 444603gj at 192.168.1.20.
> CSeq: 5 INVITE.
> Via: SIP/2.0/UDP 
> 192.168.1.20:5060;branch=z9hG4bK155910d13;rport=5060;received=y.y.y.y.
> Proxy-Authenticate: Digest realm="x.x.x.x", 
> nonce="4c22f55a00004fac9c389333991faa357d4dda38f4b9159f".
> Server: Voip.
> Content-Length: 0.
>
>
>
>
> ------------------------------------------------------------------------
>
>  _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


-- 
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100712/e6643864/attachment-0001.htm

More information about the Users mailing list