Daniel-Constantin Mierla-6 wrote
I looked at the code and the system time is used (not the the internal value). Therefore, after detecting and invalid nonce, if you do challenge again, a nonce with the right time should be generated and used for authentication.
Look at sip trace to see if nonce is regenerated and run with debug=3 to get more log message that would help to investigate better.
Cheers, Daniel
On 20/08/15 10:05, Daniel-Constantin Mierla wrote:
Hello,
probably the module is using the time computed internally as start time plus elapsed seconds (counted internally). We can introduce an option to use the system time, which may add a bit of delay, but really insignificant. I will look into it these days.
Cheers, Daniel
On 18/08/15 22:44, Vasiliy Ganchev wrote:
Hi list! (sorry for sending first mail to wrong sub forum) Have a following issue: Server with Kamailio restart with wrong time (why - this is separate part of my investigations), timeshift e.g. for 2 hours in feature. After ntp daemon adjust correct time (move time backwards), Kamailio do not accept REGISTERs, pv_www_authenticate answer with code -4 (nonce expired)
I've reade the description of: http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_expire and http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_auth_m...
This descriptions mention situation with backwards timeshift from future. As I understand, Kamailio do not authorise the registration, whose nonces where generated in future (before ntp shifted the time). But in my tests, Kamailio do not accept even REGISTER from UA, sent after time shift (with new nonces, that as I expected has to use correct time for nonce generation, and be authorised with no problem).
Only Kamailio process restart help to cope with the issue.
It looks like for nonce generating Kamailio use old time (in feature, that was before timeshift).
I wander, does the Kamailio behave in described case - as is expected? If I am wrong in some of my assumptions, please point out.
version: kamailio 4.2.5
Thank in advance! Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Daniel!
I dig into sources and found one interesting point: https://github.com/kamailio/kamailio/blob/4.2/modules/auth/nonce.c#L370
Here Kamailio has a check:
/ if (unlikely(since < up_since)) { /* if valid_since time is time pointing before ser was started * then we consider nonce as stalled. It may be the nonce generated by previous ser instance having different length (for example because of different auth. checks).. Therefore we force credentials to be rebuilt by UAC without prompting for password */ return 4; }/
And in my case: - up_since -> time in future (2 hours later) - since -> current time (correct) The check /if (unlikely(since < up_since))/ will /return 4/ as a result. This is exactly what I have.
As a workaround I exclude this check. Tested registrations/calls (when the big backward time shift happened) - work.
But, I wander, if there is a theoretically better way how to solve the problem. (may be some periodical check, that will compare current time and up_since time and if backward shift - pull up_since to the current time, or something different).
Anyway thanks for suggestions!
Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.