[SR-Users] Kamailio - Nonce validity between Register and Invite
patrice.bodeven at orange.com
patrice.bodeven at orange.com
Thu Aug 30 10:43:14 CEST 2012
Hello,
Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode.
My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time.
But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory !
I did a test on Register => nonce reuse is ok.
I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work !
But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is
auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster]
auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
auth [api.c:147]: auth:pre_auth: Invalid nonce value received
But there is no explanation why the nonce is invalid.
See the wireshark trace : the nonce into the Invite is the same as the nonce used in the Register.
Thank you for your help.
Note -
One_time_nonce is set at default value.
# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 2 contacts per AOR */
modparam("registrar", "max_contacts", 2)
# max value for expires of registrations
modparam("registrar", "max_expires", 3600)
# remove the sip from the realm
modparam("registrar", "realm_prefix", "sip:")
#!ifdef WITH_USRLOCDB
modparam("usrloc", "db_url", DBURLAUTH)
modparam("usrloc", "db_mode", 0)
modparam("usrloc", "use_domain", MULTIDOMAIN)
modparam("usrloc", "hash_size", 15) # size of table 30k users
modparam("usrloc", "timer_interval", 180) # Every 180s request to DB to delete expired contacts
#!endif
#!ifdef WITH_AUTH
modparam("auth_db", "db_url", DBURLAUTH)
modparam("auth", "auth_checks_register", 6) # callid and From TAG
modparam("auth", "qop", "auth") # enable qop=auth
modparam("auth", "nonce_count", 1) # enable nonce_count support
#modparam("auth", "nc_array_order", 20) # 2 puissance 20 - 1M in-flight nonces, using 1Mb memory
#modparam("auth", "nid_pool_no", 4)
modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "load_credentials", "")
modparam("auth_db", "use_domain", MULTIDOMAIN) (multidomain is 0)
# authenticate the REGISTER requests (uncomment to enable auth)
if (!www_authorize("$td", "subscriber"))
{
if($? == -2 || $? == -3) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
else {
www_challenge("$td", "17");
exit;
}
}
Sur invite :
if (!proxy_authorize("$fd", "subscriber")) {
if($? == -2 || $? == -3) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
else {
proxy_challenge("$fd", "17");
xlog("L_INFO","INVITE challenged by 407 to :$di:$dp \n");
exit;
}
}
if (is_method("PUBLISH"))
{
if ($au!=$fU || $au!=$tU) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
if ($au!=$rU) {
sl_send_reply("403","Forbidden R-URI");
exit;
}
#!ifdef WITH_MULTIDOMAIN
if ($fd!=$rd) {
sl_send_reply("403","Forbidden R-URI domain");
exit;
}
#!endif
}
Cordialement/ Best regards
Patrice B
-----Message d'origine-----
De : Klaus Darilion [mailto:klaus.mailinglists at pernau.at]
Envoyé : jeudi 23 août 2012 07:58
À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List
Cc : BODEVEN Patrice RD-CORE
Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
The nonce is globally valid until it expires (for all kind of requests,
IIRC you could also change the user).
Maybe your "internal" SIP clients calculates the response wrong. You
could test the response calculation with this website (do not use 'real'
passwords):
http://pernau.at/kd/sipdigest.php
klaus
On 22.08.2012 10:51, patrice.bodeven at orange.com wrote:
> Hello,
>
> I am working on Kamailio 3.2.2. There is no traffic, only functional
> test done.
>
> Based on the SIP Client used until now (Xlite), the INVITE is
> systematically authenticated by 407 as there is no Proxy-Authorization
> in the initial INVITE. Expected/normal behavior.
>
> But when using an internal SIP client, the initial INVITE is generated
> with a Proxy-Authorization containing the nonce value used by the
> successful registration.
>
> _In Authorization of Register (the answer is 200OK)_
>
> Digest username="+33296488922 at ims.v0.pftest.net",
> realm="sip:ims.v0.pftest.net",
> nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA",
> uri="sip:ims.v0.pftest.net",
> response="4ed51b8e62cf769b19f8c4771e068ad3",
> cnonce="06440000000529330fe1", qop=auth, nc=00000011
>
> _In Proxy-Authorization of Invite _
>
> Digest username="+33296488922 at ims.v0.pftest.net",
> realm="sip:ims.v0.pftest.net",
> nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA",
> uri="sip:0157361149 at ims.v0.pftest.net",
> response="b247052d6d5b37e0b6677c816390cb77",
> cnonce="06440000000529330fe1", qop=auth, nc=00000012
>
> As the nonce expire is high (see nonce_expire), I don't understand why
> Kamailio requests the Authentication of the INVITE by 407.
>
> _407 with Proxy-Authenticate_: Digest realm="ims.v0.pftest.net",
> nonce="UDP6pVAzpkWDF+jSlP3zzVYcuNPhY8NQBj62WIA=", qop="auth", stale=true
>
> *Does it mean that the REGISTER and INVITE are using different Nonce
> value ? *
>
> èInformation on my configuration file.
>
> modparam("auth_db", "db_url", DBURLAUTH)
>
> modparam("auth", "auth_checks_register", 6) # callid and From TAG
>
> modparam("auth", "qop", "auth") # enable qop=auth
>
> modparam("auth", "nonce_count", 1) # enable nonce_count support
>
> modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours
>
> For register, I do
>
> if (!www_authorize("$ru", "subscriber"))
>
> {
>
> if($? == -2 || $? == -3) {
>
> sl_send_reply("403","Forbidden auth ID");
>
> exit;
>
> }
>
> else {
>
> www_challenge("$ru", "17");
>
> exit;
>
> }
>
> }
>
> For invite, I do
>
> if (!proxy_authorize("$fd", "subscriber"))
>
> {
>
> if($? == -2 || $? == -3) {
>
> sl_send_reply("403","Forbidden auth ID");
>
> exit;
>
> }
>
> else {
>
> proxy_challenge("$fd", "17");
>
> xlog("L_INFO","INVITE challenged by 407 to :$di:$dp
> \n");
>
> exit;
>
> }
>
> }
>
> Followed by consume_credentials();
>
> Thanks in advance for your support.
>
> *Patrice B*
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Nonce reuse Invite.pcap
Type: application/octet-stream
Size: 21151 bytes
Desc: Nonce reuse Invite.pcap
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120830/8190439e/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Nonce reuse Register.pcap
Type: application/octet-stream
Size: 6654 bytes
Desc: Nonce reuse Register.pcap
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120830/8190439e/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kamailio.log
Type: application/octet-stream
Size: 144200 bytes
Desc: kamailio.log
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120830/8190439e/attachment-0005.obj>
More information about the sr-users
mailing list