[OpenSIPS-Users] Problem with nonce (probably due to configuration)

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Jun 5 17:49:16 CEST 2009 

Hi Joan,

The cause is:

Jun  5 11:16:43 pulse DBG:auth:is_nonce_index_valid: nonce already used
Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index not valid

It seams that your phone have a problem with authentication and keeps 
re-using an old nonce that is rejected by opensips.

You have 2 options:
   1) disable the nonce reusage check (less secure) by 
http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228317:
             modparam("auth", "disable_nonce_check", 1)

    2)  post a trace of the whole REgiSTER sequence to see what is the 
problem with the phone you are using.

Regards,
Bogdan


Joan wrote:
> I'm having a problem in a new setup, I have been looking at it for
> some time, but I cannot find the real reason that it is failing.
> Basically I can only call for the first few calls after restarting
> opensips. After that I cannot call anymore.
> Tracing the problem I found that it seems to be a problem with the
> generation of the nonces.
>
> The relevant part is that I see
>
> I posted the output of cat /var/log/syslog | grep nonce in the
> pastebin: http://pastebin.com/m4344e16a
>
> For the first entries, the nonces are generated appropiately ....
>
> Jun  5 11:16:09 pulse DBG:auth:reserve_nonce_index: second= 4,
> sec_monit= -1,  index= 0
> Jun  5 11:16:09 pulse DBG:auth:build_auth_hf: nonce index= 0
> Jun  5 11:16:09 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
> Digest realm="example.com",
> nonce="4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb"^M '
> Jun  5 11:16:09 pulse DBG:auth:check_nonce: comparing
> [4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb] and
> [4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb]
> Jun  5 11:16:09 pulse DBG:auth:post_auth: nonce index= 0
> Jun  5 11:16:09 pulse DBG:auth:check_nonce: comparing
> [4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb] and
> [4a28e27700000000f987ee1aea739d268b8cf3a941dc12bb]
> Jun  5 11:16:09 pulse DBG:auth:post_auth: nonce index= 0
> Jun  5 11:16:14 pulse DBG:auth:reserve_nonce_index: second= 8,
> sec_monit= -1,  index= 1
> Jun  5 11:16:14 pulse DBG:auth:build_auth_hf: nonce index= 1
> Jun  5 11:16:14 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
> Digest realm="example.com",
> nonce="4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd"^M '
> Jun  5 11:16:14 pulse DBG:auth:check_nonce: comparing
> [4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd] and
> [4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd]
> Jun  5 11:16:14 pulse DBG:auth:post_auth: nonce index= 1
> Jun  5 11:16:14 pulse DBG:auth:check_nonce: comparing
> [4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd] and
> [4a28e27c00000001cbab3d6af9ffd998167291ec85f873cd]
> Jun  5 11:16:14 pulse DBG:auth:post_auth: nonce index= 1
>
> After a while, with no apparent reason, nonces start to collide:
>
> Jun  5 11:16:39 pulse DBG:auth:reserve_nonce_index: second= 3,
> sec_monit= -1,  index= 7
> Jun  5 11:16:39 pulse DBG:auth:build_auth_hf: nonce index= 7
> Jun  5 11:16:39 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
> Digest realm="example.com",
> nonce="4a28e29500000007fb204a1185fed36378ef6868f672ae6e"^M '
> Jun  5 11:16:39 pulse DBG:auth:check_nonce: comparing
> [4a28e29500000007fb204a1185fed36378ef6868f672ae6e] and
> [4a28e29500000007fb204a1185fed36378ef6868f672ae6e]
> Jun  5 11:16:39 pulse DBG:auth:post_auth: nonce index= 7
> Jun  5 11:16:39 pulse DBG:auth:check_nonce: comparing
> [4a28e29500000007fb204a1185fed36378ef6868f672ae6e] and
> [4a28e29500000007fb204a1185fed36378ef6868f672ae6e]
> Jun  5 11:16:39 pulse DBG:auth:post_auth: nonce index= 7
> Jun  5 11:16:42 pulse DBG:auth:reserve_nonce_index: second= 6,
> sec_monit= 0,  index= 8
> Jun  5 11:16:42 pulse DBG:auth:build_auth_hf: nonce index= 8
> Jun  5 11:16:42 pulse DBG:auth:build_auth_hf: 'Proxy-Authenticate:
> Digest realm="example.com",
> nonce="4a28e29800000008d0eb660696e699d4481e16bc773771d2"^M '
> Jun  5 11:16:43 pulse DBG:auth:check_nonce: comparing
> [4a28e29800000008d0eb660696e699d4481e16bc773771d2] and
> [4a28e29800000008d0eb660696e699d4481e16bc773771d2]
> Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index= 8
> Jun  5 11:16:43 pulse DBG:auth:check_nonce: comparing
> [4a28e29800000008d0eb660696e699d4481e16bc773771d2] and
> [4a28e29800000008d0eb660696e699d4481e16bc773771d2]
> Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index= 8
> Jun  5 11:16:43 pulse DBG:auth:is_nonce_index_valid: nonce already used
> Jun  5 11:16:43 pulse DBG:auth:post_auth: nonce index not valid
>
>
> At the moment, there's only one single client connected, and I'm only
> doing missed calls (I don't pick up the phone).
> I found also that if I turn off the nonce checking, everything goes
> fine, but I'm not confident about living it this way.
>
> Any tracks I can follow? I don't know if it would be a problem with
> the proxy_authorize or with the termination of the previous call?
>
> Thanks a lot!
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>

More information about the Users mailing list