[OpenSIPS-Users] Nonce expire
Daniel Goepp
dan at goepp.net
Sun Apr 4 04:21:38 CEST 2010
Thanks for the update. I did notice that parameter, but I don't want to
disable it. I guess for now I will just accept the higher load of authing
every register. I also found that I had a device that was not behaving
right either. I will look into this one further. Sorry for the flood of
emails, I was really banging my head the other day on this one.
-dg
On Fri, Apr 2, 2010 at 11:38 PM, Bogdan-Andrei Iancu <bogdan at voice-system.ro
> wrote:
> Hi Daniel,
>
> it it because the nonce reusage - opensips (by default) uses a nonce for
> a single authentication, after that it reports it as stale.
> If you want to disable this behaviour (to enable nonce reusage), see the
> auth param "disable_nonce_check" :
> http://www.opensips.org/html/docs/modules/1.6.x/auth.html#id228317
>
> Regards,
> Bogdan
>
> Daniel Goepp wrote:
> > Ah...I see what that retcode is anyway, 2^32 = 4294967296, so those
> > are really just -4 first, no credentials, then -3 stale nonce
> >
> > -dg
> >
> >
> > On Fri, Apr 2, 2010 at 1:50 PM, Daniel Goepp <dan at goepp.net
> > <mailto:dan at goepp.net>> wrote:
> > >
> > > A quick follow up on this, I enabled some logging, but the retcode
> > is not making any sense to me (probably because I'm using it wrong).
> > >
> > > From my config:
> > >
> > > xlog ("REGISTER $fu");
> > > # authenticate the REGISTER requests (uncomment to
> > enable auth)
> > > if (!www_authorize("", "subscriber"))
> > > {
> > > xlog ("Not authorized - challenging, error:
> > $retcode");
> > > www_challenge("", "1");
> > > exit;
> > > }
> > >
> > > Then in the log:
> > >
> > > Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1001 at vidtel.com <sip%3A1001 at vidtel.com> <mailto:
> sip%3A1001 at vidtel.com <sip%253A1001 at vidtel.com>>
> > > Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
> > authorized - challenging, error: 4294967293
> > > Apr 2 13:49:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1001 at vidtel.com <sip%3A1001 at vidtel.com> <mailto:
> sip%3A1001 at vidtel.com <sip%253A1001 at vidtel.com>>
> > > Apr 2 13:49:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1001 at vidtel.com <sip%3A1001 at vidtel.com> <mailto:
> sip%3A1001 at vidtel.com <sip%253A1001 at vidtel.com>>
> > > Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1001 at vidtel.com <sip%3A1001 at vidtel.com> <mailto:
> sip%3A1001 at vidtel.com <sip%253A1001 at vidtel.com>>
> > > Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30182]: Not
> > authorized - challenging, error: 4294967292
> > > Apr 2 13:50:18 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1001 at vidtel.com <sip%3A1001 at vidtel.com> <mailto:
> sip%3A1001 at vidtel.com <sip%253A1001 at vidtel.com>>
> > > Apr 2 13:50:38 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1001 at vidtel.com <sip%3A1001 at vidtel.com> <mailto:
> sip%3A1001 at vidtel.com <sip%253A1001 at vidtel.com>>
> > > Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]:
> > REGISTER sip:1001 at vidtel.com <sip%3A1001 at vidtel.com> <mailto:
> sip%3A1001 at vidtel.com <sip%253A1001 at vidtel.com>>
> > > Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30180]: Not
> > authorized - challenging, error: 4294967292
> > > Apr 2 13:50:58 ip-10-160-23-47 /usr/local/sbin/opensips[30182]:
> > REGISTER sip:1001 at vidtel.com <sip%3A1001 at vidtel.com> <mailto:
> sip%3A1001 at vidtel.com <sip%253A1001 at vidtel.com>>
> > >
> > > Also I'm running 1.6.2-tls compiled today from latest 1_6 branch in
> SVN.
> > >
> > > -dg
> > >
> > >
> > > On Fri, Apr 2, 2010 at 1:40 PM, Daniel Goepp <dan at goepp.net
> > <mailto:dan at goepp.net>> wrote:
> > >>
> > >> I'm having some trouble with nonce expiring I believe. The problem
> > is that every other one of my endpoint registrations is doing an auth
> > challenge w/401.
> > >>
> > >> From my config:
> > >> modparam("registrar", "default_expires", 60)
> > >> modparam("registrar", "min_expires", 60)
> > >> modparam("registrar", "max_expires", 60
> > >>
> > >> modparam("auth", "nonce_expire", 3600)
> > >>
> > >> From this I would expect the devices to try to register every 60
> > seconds, and get challenged every hour with a new nonce.
> > >>
> > >> Comments on why OpenSIPS is challenging every other registration?
> > >>
> > >> Thanks
> > >>
> > >> -dg
> > >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> --
> Bogdan-Andrei Iancu
> www.voice-system.ro
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100403/a8cb259a/attachment.htm
More information about the Users
mailing list