12 Sep
2007
12 Sep
'07
8:05 a.m.
On Wednesday 12 September 2007, Ben Smithurst wrote:
I wrote:
Hello Ben,
i've added a note about this topic to the module documentation. However, the
use of a shared (and fixed) secret as nonce is insecure, much better is to
stay with the default.
Cheers,
Henning
We have a problem with clients authorizing
(whether for INVITE or
REGISTER) against a pair of openser servers, served via either round
robin A records, or multiple equal preference SRV records.
The problem in a nutshell is
client sends INVITE to server 1
server 1 replies with authorization challenge
client sends INVITE with auth to server 2
server 2 doesn't like the 'nonce' value
[..]
For the record, and the benefit of anyone searching the archives for a
similar problem, I was being stupid. Sorry to bother you all....
I read the code and found a bit more. So, nonce values are not stored
at all as far as I can tell, this was actually my initial thought about
nonce values, I just couldn't work out why it wouldn't work across
multiple servers.
Turns out the default setup in openser (quite reasonably) is for the
secret string used in generating the nonce to be generated at run time.
If you use multiple servers it seems necessary to explicitly set the
secret the same on all servers
modparam("auth", "secret", "blah")
I wonder if it is worth putting a note about this multiple server issue
in the documentation for the 'secret' parameter - might just help people
googling/reading docs to solve the problem. :-)