[SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS

Henning Westerholt hw at skalatan.de
Fri Aug 30 13:31:28 CEST 2019


Hello Laurent,

interesting.. Have you checked already if you see this different password results also on the network level if you look to the mysql client-server traffic? Then you should know at least it its related to kamailio or the database(s).

Cheers,

Henning

Am 30.08.19 um 10:18 schrieb Laurent Schweizer:
Hi Henning,
Hi all,

Maybe my first assumption was wrong,  the wrong result is changing ☹.

I have added some  extra debug info in modules/auth_db/authorize.c to display not only the calculated hash but also the username, domain and password


        if (calc_ha1) {
                /* Only plaintext passwords are stored in database,
                 * we have to calculate HA1 */
                auth_api.calc_HA1(HA_MD5, &_username->whole, _domain, &result,
                                0, 0, _ha1);
                LM_DBG("FOR NU HA1 string calculated: %s  username:\'%.*s\' realm:\'%.*s\' pass:\'%.*s\' \n", _ha1 ,  _username->user.len, ZSW(_username->user.s) , (_domain->len) , ZSW(_domain->s), result.len , result.s);
        } else {
                memcpy(_ha1, result.s, result.len);
                _ha1[result.len] = '\0';
        }

        return 0;

and I see for the same username different password …  of course password was not changed in DB
password are not random, it’s password from other user, just one case that is different is the “0”  (we don’t have any user with a password like this 😊 )

Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 5057166924cd85addddf0250c36d24eb  username:'90707009764' realm:'pbxs.peoplefone.de' pass:'H3----------D'

Aug 30 09:37:02 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 7547ba1f80a651437908d050493086f9  username:'90707009764' realm:'pbxs.peoplefone.de' pass:'R3----------2'

Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 8947348b1af4cba356532c3b49dba559  username:'90707009764' realm:'pbxs.peoplefone.de' pass:'72------s'

Aug 30 09:37:03 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 348ce71603d44a0dd3303d8e07e155d8  username:'90707009764' realm:'pbxs.peoplefone.de' pass:'X---------g'

Aug 30 09:37:04 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: 7fc7adfa1f3a18d27988ffbe42ecfdfd  username:'90707009764' realm:'pbxs.peoplefone.de' pass:'0'

Aug 30 09:37:35 de5029 kamailio[21409]: DEBUG: auth_db [authorize.c:199]: get_ha1(): FOR NU HA1 string calculated: b313ccfd2848fdc245cc1490607e6eb7  username:'90707009764' realm:'pbxs.peoplefone.de' pass:'s-------w'

I’m using a mysql/percona  DB with 3 server  so I’m using the db_cluster module…

Any idea ?


BR

Laurent


From: Henning Westerholt <hw at skalatan.de><mailto:hw at skalatan.de>
Sent: jeudi, 29 août 2019 18:28
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org><mailto:sr-users at lists.kamailio.org>; Laurent Schweizer <laurent.schweizer at peoplefone.com><mailto:laurent.schweizer at peoplefone.com>
Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS


Hello Laurent,

(you might want to anonymize your msg dumps bit on this public list)

You probably did already this steps, but nevertheless some debugging ideas:

- capture a longer network trace and compare the network data of a working against non-working case

- try to see to find a pattern (e.g. does it happens during a certain time, only to certain users or devices)

- have a look to network interface statistics on server and router/firewall if maybe some corruption is caused from an interface

- have a look to other network services that are using the same network infrastructure to see if they are also affected

Cheers,

Henning
Am 29.08.19 um 10:58 schrieb Laurent Schweizer:
Hello,

I try to get some log,
I only see that password seems wrong but he was not changed and registration of this user was ok just before ☹

Any idea how to debug this ?

Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:288]: auth_check_response(): check_response: Our result = 'bc946bb4ea732eb35d11d0970631c6f8'
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [api.c:298]: auth_check_response(): check_response: Authorization failed
Aug 29 10:21:38 de5029 kamailio[22615]: WARNING: <script>: auth error -2 username XXXX7011537 - src ip: 93.229.221.67
Aug 29 10:21:38 de5029 kamailio[22615]: ERROR: debugger [debugger_mod.c:581]: w_dbg_sip_msg(): CONFIG LINE 871
------------------------- START OF SIP message debug --------------------------
REGISTER sip:pbxs.peoplefone.de:5060 SIP/2.0^M
Via: SIP/2.0/TCP 192.168.2.113:5060;branch=z9hG4bK2816544140^M
From: "11 - Juergen XXXX" <sip:XXXX7011537 at pbxs.peoplefone.de:5060><mailto:sip:XXXX7011537 at pbxs.peoplefone.de:5060>;tag=4042485072^M
To: "11 - Juergen XXXX" <sip:XXXX7011537 at pbxs.peoplefone.de:5060><mailto:sip:XXXX7011537 at pbxs.peoplefone.de:5060>^M
Call-ID: 0_228669251 at 192.168.2.113^M<mailto:0_228669251 at 192.168.2.113%5eM>
CSeq: 3 REGISTER^M
Contact: <sip:XXXX7011537 at 192.168.2.113:5060;transport=TCP><mailto:sip:XXXX7011537 at 192.168.2.113:5060;transport=TCP>^M
Authorization: Digest username="XXXX7011537", realm="pbxs.peoplefone.de", nonce="XXXXXXxKoIygitcq45XMNGX2z9hwn", uri="sip:pbxs.peoplefone.de:5060", response="XXXXXX7142356b40754f30e0dc6cd", algorithm=MD5^M
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE^M
Max-Forwards: 69^M
User-Agent: Yealink SIP-T42S 66.82.0.30^M
Expires: 300^M
Allow-Events: talk,hold,conference,refer,check-sync^M
Content-Length: 0^M
^M
------------------------------ SIP header diffs -------------------------------
------------------------------- SIP body diffs --------------------------------
-------------------------- END OF SIP message debug ---------------------------
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:165]: get_challenge_hf(): realm='pbxs.peoplefone.de'
Aug 29 10:21:38 de5029 kamailio[22615]: DEBUG: auth [challenge.c:275]: get_challenge_hf(): auth: 'WWW-Authenticate: Digest realm="pbxs.peoplefone.de", nonce="XXXXXXxKoIygitcq45XMNGX2z9hwn"^M




From: sr-users <sr-users-bounces at lists.kamailio.org><mailto:sr-users-bounces at lists.kamailio.org> On Behalf Of Laurent Schweizer
Sent: lundi, 26 août 2019 14:04
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org><mailto:sr-users at lists.kamailio.org>
Subject: Re: [SR-Users] Kamailio 5.0.8 | authentification issue only with TCP/TLS

Wireshark was missing .

From: Laurent Schweizer
Sent: lundi, 26 août 2019 10:25
To: 'Kamailio (SER) - Users Mailing List' <sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>>
Subject: Kamailio 5.0.8 | authentification issue only with TCP/TLS

Dear all,

I have a kamailio running in version 5.0.8 and since fee weeks we have an issue with different users connected in TCP or TLS, sometimes authorization like for REGISTER are rejected and after a moment (can be few minute or hours) it work again and of course no change was done in the password ….

We see this issue with different device, snom swyx, …  and on UDP we have no issue.

I can see that when the Register is rejected it’s with the error -2, so wrong password…

# Authentication route
route[AUTH] {
        if (is_method("REGISTER"))
        {
                # authenticate requests
                if (!auth_check("$fd", "subscriber", "1")) {

                        switch($retcode) {
                                case -1:
                                        sl_send_reply("503","Service not available");
                                        exit;
                                case -2:
                                         xlog("L_WARN", "auth error -2 username $au - src ip: $si \n");
                                        auth_challenge("$fd", "0");
                                        exit;


I have attached an example of a trace where we can see a first REGISTER accepted and  less than 2 minutes after a new one is rejected. ( in between they is a REGISTER without any Authorization header)

Any idea ?

BR

Laurent



_______________________________________________

Kamailio (SER) - Users Mailing List

sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>

https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

--

Henning Westerholt - https://skalatan.de/blog/

Kamailio services - https://skalatan.de/services

--
Henning Westerholt - https://skalatan.de/blog/
Kamailio services - https://skalatan.de/services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190830/0fee0265/attachment.html>


More information about the sr-users mailing list