12 Sep
2007
12 Sep
'07
12:39 p.m.
Hi
We have a problem with clients authorizing (whether for INVITE or
REGISTER) against a pair of openser servers, served via either round
robin A records, or multiple equal preference SRV records.
The problem in a nutshell is
client sends INVITE to server 1
server 1 replies with authorization challenge
client sends INVITE with auth to server 2
server 2 doesn't like the 'nonce' value
Now, this only happens via our nat proxy, as far as we can tell, so I
think the problem lies there (and I have contacted the vendor of that
system). However I wonder if there is any way to make openser work in
such a setup, in case other client do the same thing (which IMO is quite
a stupid thing to do) ... would the valid 'nonce' values need to be
stored in the DB?
Incidentally we are using mysql authentication and we are using usrloc
in db_mode 3, with both openser machines pointed at the same mysql
server. We're using a pretty recent openser SVN revision (dev15).
Any tips would be appreciated.
thanks
-ben
--
Ben Smithurst
http://www.bensmithurst.com/
12 Sep
12 Sep
1:24 p.m.
I wrote:
We have a problem with clients authorizing (whether
for INVITE or
REGISTER) against a pair of openser servers, served via either round
robin A records, or multiple equal preference SRV records.
The problem in a nutshell is
client sends INVITE to server 1
server 1 replies with authorization challenge
client sends INVITE with auth to server 2
server 2 doesn't like the 'nonce' value
Now, this only happens via our nat proxy, as far as we can tell, so I
think the problem lies there (and I have contacted the vendor of that
system). However I wonder if there is any way to make openser work in
such a setup, in case other client do the same thing (which IMO is quite
a stupid thing to do) ... would the valid 'nonce' values need to be
stored in the DB?
Incidentally we are using mysql authentication and we are using usrloc
in db_mode 3, with both openser machines pointed at the same mysql
server. We're using a pretty recent openser SVN revision (dev15).
For the record, and the benefit of anyone searching the archives for a
similar problem, I was being stupid. Sorry to bother you all....
I read the code and found a bit more. So, nonce values are not stored
at all as far as I can tell, this was actually my initial thought about
nonce values, I just couldn't work out why it wouldn't work across
multiple servers.
Turns out the default setup in openser (quite reasonably) is for the
secret string used in generating the nonce to be generated at run time.
If you use multiple servers it seems necessary to explicitly set the
secret the same on all servers
modparam("auth", "secret", "blah")
I wonder if it is worth putting a note about this multiple server issue
in the documentation for the 'secret' parameter - might just help people
googling/reading docs to solve the problem. :-)
cheers
-ben
--
Ben Smithurst
http://www.bensmithurst.com/
3:05 p.m.
On Wednesday 12 September 2007, Ben Smithurst wrote:
I wrote:
Hello Ben,
i've added a note about this topic to the module documentation. However, the
use of a shared (and fixed) secret as nonce is insecure, much better is to
stay with the default.
Cheers,
Henning
We have a problem with clients authorizing
(whether for INVITE or
REGISTER) against a pair of openser servers, served via either round
robin A records, or multiple equal preference SRV records.
The problem in a nutshell is
client sends INVITE to server 1
server 1 replies with authorization challenge
client sends INVITE with auth to server 2
server 2 doesn't like the 'nonce' value
[..]
For the record, and the benefit of anyone searching the archives for a
similar problem, I was being stupid. Sorry to bother you all....
I read the code and found a bit more. So, nonce values are not stored
at all as far as I can tell, this was actually my initial thought about
nonce values, I just couldn't work out why it wouldn't work across
multiple servers.
Turns out the default setup in openser (quite reasonably) is for the
secret string used in generating the nonce to be generated at run time.
If you use multiple servers it seems necessary to explicitly set the
secret the same on all servers
modparam("auth", "secret", "blah")
I wonder if it is worth putting a note about this multiple server issue
in the documentation for the 'secret' parameter - might just help people
googling/reading docs to solve the problem. :-)
6:09 p.m.
Henning Westerholt wrote:
i've added a note about this topic to the module
documentation. However, the
use of a shared (and fixed) secret as nonce is insecure, much better is to
stay with the default.
ok, thanks.
I will see what the vendors of our nat proxy come back with regarding
the problem, as it only seems to happen there, so far.
cheers
-ben
--
Ben Smithurst
http://www.bensmithurst.com/
6281
days inactive
6281
days old
3 comments
2 participants
participants (2)
-
Ben Smithurst -
Henning Westerholt