Hi list! (sorry for sending first mail to wrong sub forum) Have a following issue: Server with Kamailio restart with wrong time (why - this is separate part of my investigations), timeshift e.g. for 2 hours in feature. After ntp daemon adjust correct time (move time backwards), Kamailio do not accept REGISTERs, pv_www_authenticate answer with code -4 (nonce expired)
I've reade the description of: http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_expire and http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_auth_m...
This descriptions mention situation with backwards timeshift from future. As I understand, Kamailio do not authorise the registration, whose nonces where generated in future (before ntp shifted the time). But in my tests, Kamailio do not accept even REGISTER from UA, sent after time shift (with new nonces, that as I expected has to use correct time for nonce generation, and be authorised with no problem).
Only Kamailio process restart help to cope with the issue.
It looks like for nonce generating Kamailio use old time (in feature, that was before timeshift).
I wander, does the Kamailio behave in described case - as is expected? If I am wrong in some of my assumptions, please point out.
version: kamailio 4.2.5
Thank in advance! Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
Hello,
probably the module is using the time computed internally as start time plus elapsed seconds (counted internally). We can introduce an option to use the system time, which may add a bit of delay, but really insignificant. I will look into it these days.
Cheers, Daniel
On 18/08/15 22:44, Vasiliy Ganchev wrote:
Hi list! (sorry for sending first mail to wrong sub forum) Have a following issue: Server with Kamailio restart with wrong time (why - this is separate part of my investigations), timeshift e.g. for 2 hours in feature. After ntp daemon adjust correct time (move time backwards), Kamailio do not accept REGISTERs, pv_www_authenticate answer with code -4 (nonce expired)
I've reade the description of: http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_expire and http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_auth_m...
This descriptions mention situation with backwards timeshift from future. As I understand, Kamailio do not authorise the registration, whose nonces where generated in future (before ntp shifted the time). But in my tests, Kamailio do not accept even REGISTER from UA, sent after time shift (with new nonces, that as I expected has to use correct time for nonce generation, and be authorised with no problem).
Only Kamailio process restart help to cope with the issue.
It looks like for nonce generating Kamailio use old time (in feature, that was before timeshift).
I wander, does the Kamailio behave in described case - as is expected? If I am wrong in some of my assumptions, please point out.
version: kamailio 4.2.5
Thank in advance! Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
I looked at the code and the system time is used (not the the internal value). Therefore, after detecting and invalid nonce, if you do challenge again, a nonce with the right time should be generated and used for authentication.
Look at sip trace to see if nonce is regenerated and run with debug=3 to get more log message that would help to investigate better.
Cheers, Daniel
On 20/08/15 10:05, Daniel-Constantin Mierla wrote:
Hello,
probably the module is using the time computed internally as start time plus elapsed seconds (counted internally). We can introduce an option to use the system time, which may add a bit of delay, but really insignificant. I will look into it these days.
Cheers, Daniel
On 18/08/15 22:44, Vasiliy Ganchev wrote:
Hi list! (sorry for sending first mail to wrong sub forum) Have a following issue: Server with Kamailio restart with wrong time (why - this is separate part of my investigations), timeshift e.g. for 2 hours in feature. After ntp daemon adjust correct time (move time backwards), Kamailio do not accept REGISTERs, pv_www_authenticate answer with code -4 (nonce expired)
I've reade the description of: http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_expire and http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_auth_m...
This descriptions mention situation with backwards timeshift from future. As I understand, Kamailio do not authorise the registration, whose nonces where generated in future (before ntp shifted the time). But in my tests, Kamailio do not accept even REGISTER from UA, sent after time shift (with new nonces, that as I expected has to use correct time for nonce generation, and be authorised with no problem).
Only Kamailio process restart help to cope with the issue.
It looks like for nonce generating Kamailio use old time (in feature, that was before timeshift).
I wander, does the Kamailio behave in described case - as is expected? If I am wrong in some of my assumptions, please point out.
version: kamailio 4.2.5
Thank in advance! Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Daniel-Constantin Mierla-6 wrote
I looked at the code and the system time is used (not the the internal value). Therefore, after detecting and invalid nonce, if you do challenge again, a nonce with the right time should be generated and used for authentication.
Look at sip trace to see if nonce is regenerated and run with debug=3 to get more log message that would help to investigate better.
Cheers, Daniel
On 20/08/15 10:05, Daniel-Constantin Mierla wrote:
Hello,
probably the module is using the time computed internally as start time plus elapsed seconds (counted internally). We can introduce an option to use the system time, which may add a bit of delay, but really insignificant. I will look into it these days.
Cheers, Daniel
On 18/08/15 22:44, Vasiliy Ganchev wrote:
Hi list! (sorry for sending first mail to wrong sub forum) Have a following issue: Server with Kamailio restart with wrong time (why - this is separate part of my investigations), timeshift e.g. for 2 hours in feature. After ntp daemon adjust correct time (move time backwards), Kamailio do not accept REGISTERs, pv_www_authenticate answer with code -4 (nonce expired)
I've reade the description of: http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_expire and http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_auth_m...
This descriptions mention situation with backwards timeshift from future. As I understand, Kamailio do not authorise the registration, whose nonces where generated in future (before ntp shifted the time). But in my tests, Kamailio do not accept even REGISTER from UA, sent after time shift (with new nonces, that as I expected has to use correct time for nonce generation, and be authorised with no problem).
Only Kamailio process restart help to cope with the issue.
It looks like for nonce generating Kamailio use old time (in feature, that was before timeshift).
I wander, does the Kamailio behave in described case - as is expected? If I am wrong in some of my assumptions, please point out.
version: kamailio 4.2.5
Thank in advance! Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Daniel!
Thanks for the suggestions, I will check again with Debug=3, and try to find out what is going wrong. Anyway, after investigation, will tell what I found.
Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
Daniel-Constantin Mierla-6 wrote
I looked at the code and the system time is used (not the the internal value). Therefore, after detecting and invalid nonce, if you do challenge again, a nonce with the right time should be generated and used for authentication.
Look at sip trace to see if nonce is regenerated and run with debug=3 to get more log message that would help to investigate better.
Cheers, Daniel
On 20/08/15 10:05, Daniel-Constantin Mierla wrote:
Hello,
probably the module is using the time computed internally as start time plus elapsed seconds (counted internally). We can introduce an option to use the system time, which may add a bit of delay, but really insignificant. I will look into it these days.
Cheers, Daniel
On 18/08/15 22:44, Vasiliy Ganchev wrote:
Hi list! (sorry for sending first mail to wrong sub forum) Have a following issue: Server with Kamailio restart with wrong time (why - this is separate part of my investigations), timeshift e.g. for 2 hours in feature. After ntp daemon adjust correct time (move time backwards), Kamailio do not accept REGISTERs, pv_www_authenticate answer with code -4 (nonce expired)
I've reade the description of: http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_expire and http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_auth_m...
This descriptions mention situation with backwards timeshift from future. As I understand, Kamailio do not authorise the registration, whose nonces where generated in future (before ntp shifted the time). But in my tests, Kamailio do not accept even REGISTER from UA, sent after time shift (with new nonces, that as I expected has to use correct time for nonce generation, and be authorised with no problem).
Only Kamailio process restart help to cope with the issue.
It looks like for nonce generating Kamailio use old time (in feature, that was before timeshift).
I wander, does the Kamailio behave in described case - as is expected? If I am wrong in some of my assumptions, please point out.
version: kamailio 4.2.5
Thank in advance! Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Daniel!
I dig into sources and found one interesting point: https://github.com/kamailio/kamailio/blob/4.2/modules/auth/nonce.c#L370
Here Kamailio has a check:
/ if (unlikely(since < up_since)) { /* if valid_since time is time pointing before ser was started * then we consider nonce as stalled. It may be the nonce generated by previous ser instance having different length (for example because of different auth. checks).. Therefore we force credentials to be rebuilt by UAC without prompting for password */ return 4; }/
And in my case: - up_since -> time in future (2 hours later) - since -> current time (correct) The check /if (unlikely(since < up_since))/ will /return 4/ as a result. This is exactly what I have.
As a workaround I exclude this check. Tested registrations/calls (when the big backward time shift happened) - work.
But, I wander, if there is a theoretically better way how to solve the problem. (may be some periodical check, that will compare current time and up_since time and if backward shift - pull up_since to the current time, or something different).
Anyway thanks for suggestions!
Cheers!
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
Hi Daniel!
Any comments/idea about my last answer?
cheers
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
Hello,
good that you revived the thread, it got out of my sight being distracted by other stuff.
I think that check has to be kept there, because it covers some situations that can appear after restart, so removing it completely won't be safe.
It can be a solution to reset up_since in this case, if time(0) is lower than up_since, like:
if (unlikely(since < up_since)) { /* if valid_since time is time pointing before ser was started * then we consider nonce as stalled. It may be the nonce generated by previous ser instance having different length (for example because of different auth. checks).. Therefore we force credentials to be rebuilt by UAC without prompting for password */
/* if current time is less than start time, reset the start time (e.g., after start, the system clock was set in the past) */ t=time(0); if(t<up_since) up_since=t;
return 4; }
Can you test with this change and see if it works as expected for you?
There will be a failed iteration, but then it should recover for that process. it may actually be even better to test if since >= t and don't 'return 4' in that case.
Cheers, Daniel On 01/09/15 16:49, Vasiliy Ganchev wrote:
Hi Daniel!
Any comments/idea about my last answer?
cheers
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi!
Tested with this part: + /* if current time is less than start time, reset the start time + (e.g., after start, the system clock was set in the past) */ + t=time(0); + if (t < up_since) + up_since = t; + return 4;
Works as is expected (one iteration return nonce expired, and after start OK working).
One more point: the output of /kamcmd core.uptime / always return time up_since in future.
kamcmd core.uptime /{ now: Wed Sep 2 16:04:18 2015
up_since: Wed Sep 2 18:00:08 2015
uptime: -6950 }/
Do not understand how (mostly even why) to use this: / since >= t and don't 'return 4' in that case. / Such check is part of next step in the nonce.c
cheers
Daniel-Constantin Mierla-6 wrote
Hello,
good that you revived the thread, it got out of my sight being distracted by other stuff.
I think that check has to be kept there, because it covers some situations that can appear after restart, so removing it completely won't be safe.
It can be a solution to reset up_since in this case, if time(0) is lower than up_since, like:
if (unlikely(since < up_since)) { /* if valid_since time is time pointing before ser was started * then we consider nonce as stalled. It may be the nonce generated by previous ser instance having different length (for example because of different auth. checks).. Therefore we force credentials to be rebuilt by UAC without prompting for password */ /* if current time is less than start time, reset the start time (e.g., after start, the system clock was set in the past) */ t=time(0); if(t<up_since) up_since=t; return 4; }Can you test with this change and see if it works as expected for you?
There will be a failed iteration, but then it should recover for that process. it may actually be even better to test if since >= t and don't 'return 4' in that case.
Cheers, Daniel On 01/09/15 16:49, Vasiliy Ganchev wrote:
Hi Daniel!
Any comments/idea about my last answer?
cheers
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
Hello,
the rpc process doesn't have the up_since value updated, because it is stored in a local variable per process, thus only the sip worker process updated its value. Probably they need a fix as well in this case.
Regarding:
""" Do not understand how (mostly even why) to use this: / since >= t and don't 'return 4' in that case. / Such check is part of next step in the nonce.c """
If the test of since vs t is done next, then looks like "return 4" line can be removed to avoid the one iteration with nonce expired.
Cheers, Daniel
On 02/09/15 16:08, Vasiliy Ganchev wrote:
Hi!
Tested with this part:
/* if current time is less than start time, reset the start time(e.g., after start, the system clock was set in the past) */t=time(0);if (t < up_since)up_since = t;return 4;Works as is expected (one iteration return nonce expired, and after start OK working).
One more point: the output of /kamcmd core.uptime / always return time up_since in future.
kamcmd core.uptime /{ now: Wed Sep 2 16:04:18 2015
up_since: Wed Sep 2 18:00:08 2015
uptime: -6950 }/
Do not understand how (mostly even why) to use this: / since >= t and don't 'return 4' in that case. / Such check is part of next step in the nonce.c
cheers
Daniel-Constantin Mierla-6 wrote
Hello,
good that you revived the thread, it got out of my sight being distracted by other stuff.
I think that check has to be kept there, because it covers some situations that can appear after restart, so removing it completely won't be safe.
It can be a solution to reset up_since in this case, if time(0) is lower than up_since, like:
if (unlikely(since < up_since)) { /* if valid_since time is time pointing before ser was started * then we consider nonce as stalled. It may be the nonce generated by previous ser instance having different length (for example because of different auth. checks).. Therefore we force credentials to be rebuilt by UAC without prompting for password */ /* if current time is less than start time, reset the start time (e.g., after start, the system clock was set in the past) */ t=time(0); if(t<up_since) up_since=t; return 4; }Can you test with this change and see if it works as expected for you?
There will be a failed iteration, but then it should recover for that process. it may actually be even better to test if since >= t and don't 'return 4' in that case.
Cheers, Daniel On 01/09/15 16:49, Vasiliy Ganchev wrote:
Hi Daniel!
Any comments/idea about my last answer?
cheers
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@.sip-router
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@.sip-router http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi!
tested with: + /* if current time is less than start time, reset the start time + (e.g., after start, the system clock was set in the past) */ + t=time(0); + if (t < up_since) + up_since = t; + if (since < t) + return 4; + }
there is no iteration with nonce expired. Is it OK?
If yes, I think we can close this discussion (will you push the changes to master branch?) Many thanks )
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
Hello,
can you make a pull request on github with the last patch you tested? It will be easier to merge, avoiding extra tests here -- just be sure the commit message is formatted according to:
* http://www.kamailio.org/wiki/devel/github-contributions
Cheers, Daniel
On 03/09/15 09:53, Vasiliy Ganchev wrote:
Hi!
tested with:
/* if current time is less than start time, reset the start time(e.g., after start, the system clock was set in the past) */t=time(0);if (t < up_since)up_since = t;if (since < t)return 4;- }
there is no iteration with nonce expired. Is it OK?
If yes, I think we can close this discussion (will you push the changes to master branch?) Many thanks )
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
the pull request prepared, hope it is well formatted (did not have such experience before)
Daniel, thank you for spending time on this issue, and help in finding the right way )
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
I merged the pull request.
The commit message was close to the recommended format -- the first line should have been:
auth: fixed issue when ...
In the commit is the other one.
Cheers, Daniel
On 03/09/15 10:48, Vasiliy Ganchev wrote:
the pull request prepared, hope it is well formatted (did not have such experience before)
Daniel, thank you for spending time on this issue, and help in finding the right way )
-- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-af... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Vasiliy Ganchev