Re: [SR-Users] Kamailio - Nonce validity between Register and Invite

Hello, Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode. My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time. But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory ! I did a test on Register => nonce reuse is ok. I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work ! But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 auth [api.c:147]: auth:pre_auth: Invalid nonce value received But there is no explanation why the nonce is invalid. See the wireshark trace : the nonce into the Invite is the same as the nonce used in the Register. Thank you for your help. Note - One_time_nonce is set at default value. # ----- registrar params ----- modparam("registrar", "method_filtering", 1) /* uncomment the next line to disable parallel forking via location */ # modparam("registrar", "append_branches", 0) /* uncomment the next line not to allow more than 2 contacts per AOR */ modparam("registrar", "max_contacts", 2) # max value for expires of registrations modparam("registrar", "max_expires", 3600) # remove the sip from the realm modparam("registrar", "realm_prefix", "sip:") #!ifdef WITH_USRLOCDB modparam("usrloc", "db_url", DBURLAUTH) modparam("usrloc", "db_mode", 0) modparam("usrloc", "use_domain", MULTIDOMAIN) modparam("usrloc", "hash_size", 15) # size of table 30k users modparam("usrloc", "timer_interval", 180) # Every 180s request to DB to delete expired contacts #!endif #!ifdef WITH_AUTH modparam("auth_db", "db_url", DBURLAUTH) modparam("auth", "auth_checks_register", 6) # callid and From TAG modparam("auth", "qop", "auth") # enable qop=auth modparam("auth", "nonce_count", 1) # enable nonce_count support #modparam("auth", "nc_array_order", 20) # 2 puissance 20 - 1M in-flight nonces, using 1Mb memory #modparam("auth", "nid_pool_no", 4) modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") modparam("auth_db", "load_credentials", "") modparam("auth_db", "use_domain", MULTIDOMAIN) (multidomain is 0) # authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize("$td", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { www_challenge("$td", "17"); exit; } } Sur invite : if (!proxy_authorize("$fd", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { proxy_challenge("$fd", "17"); xlog("L_INFO","INVITE challenged by 407 to :$di:$dp \n"); exit; } } if (is_method("PUBLISH")) { if ($au!=$fU || $au!=$tU) { sl_send_reply("403","Forbidden auth ID"); exit; } if ($au!=$rU) { sl_send_reply("403","Forbidden R-URI"); exit; } #!ifdef WITH_MULTIDOMAIN if ($fd!=$rd) { sl_send_reply("403","Forbidden R-URI domain"); exit; } #!endif } Cordialement/ Best regards Patrice B -----Message d'origine----- De : Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Envoyé : jeudi 23 août 2012 07:58 À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite The nonce is globally valid until it expires (for all kind of requests, IIRC you could also change the user). Maybe your "internal" SIP clients calculates the response wrong. You could test the response calculation with this website (do not use 'real' passwords): http://pernau.at/kd/sipdigest.php klaus On 22.08.2012 10:51, patrice.bodeven(a)orange.com wrote: _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified. Thank you.