[OpenSER-Users] authorization problems with multiple servers
Henning Westerholt
henning.westerholt at 1und1.de
Wed Sep 12 14:05:44 CEST 2007
On Wednesday 12 September 2007, Ben Smithurst wrote:
> I wrote:
> > We have a problem with clients authorizing (whether for INVITE or
> > REGISTER) against a pair of openser servers, served via either round
> > robin A records, or multiple equal preference SRV records.
> >
> > The problem in a nutshell is
> >
> > client sends INVITE to server 1
> > server 1 replies with authorization challenge
> > client sends INVITE with auth to server 2
> > server 2 doesn't like the 'nonce' value
> [..]
> For the record, and the benefit of anyone searching the archives for a
> similar problem, I was being stupid. Sorry to bother you all....
>
> I read the code and found a bit more. So, nonce values are not stored
> at all as far as I can tell, this was actually my initial thought about
> nonce values, I just couldn't work out why it wouldn't work across
> multiple servers.
>
> Turns out the default setup in openser (quite reasonably) is for the
> secret string used in generating the nonce to be generated at run time.
> If you use multiple servers it seems necessary to explicitly set the
> secret the same on all servers
>
> modparam("auth", "secret", "blah")
>
> I wonder if it is worth putting a note about this multiple server issue
> in the documentation for the 'secret' parameter - might just help people
> googling/reading docs to solve the problem. :-)
Hello Ben,
i've added a note about this topic to the module documentation. However, the
use of a shared (and fixed) secret as nonce is insecure, much better is to
stay with the default.
Cheers,
Henning
More information about the Users
mailing list