Hi
We have a problem with clients authorizing (whether for INVITE or REGISTER) against a pair of openser servers, served via either round robin A records, or multiple equal preference SRV records.
The problem in a nutshell is
client sends INVITE to server 1 server 1 replies with authorization challenge client sends INVITE with auth to server 2 server 2 doesn't like the 'nonce' value
Now, this only happens via our nat proxy, as far as we can tell, so I think the problem lies there (and I have contacted the vendor of that system). However I wonder if there is any way to make openser work in such a setup, in case other client do the same thing (which IMO is quite a stupid thing to do) ... would the valid 'nonce' values need to be stored in the DB?
Incidentally we are using mysql authentication and we are using usrloc in db_mode 3, with both openser machines pointed at the same mysql server. We're using a pretty recent openser SVN revision (dev15).
Any tips would be appreciated.
thanks -ben
I wrote:
We have a problem with clients authorizing (whether for INVITE or REGISTER) against a pair of openser servers, served via either round robin A records, or multiple equal preference SRV records.
The problem in a nutshell is
client sends INVITE to server 1 server 1 replies with authorization challenge client sends INVITE with auth to server 2 server 2 doesn't like the 'nonce' value
Now, this only happens via our nat proxy, as far as we can tell, so I think the problem lies there (and I have contacted the vendor of that system). However I wonder if there is any way to make openser work in such a setup, in case other client do the same thing (which IMO is quite a stupid thing to do) ... would the valid 'nonce' values need to be stored in the DB?
Incidentally we are using mysql authentication and we are using usrloc in db_mode 3, with both openser machines pointed at the same mysql server. We're using a pretty recent openser SVN revision (dev15).
For the record, and the benefit of anyone searching the archives for a similar problem, I was being stupid. Sorry to bother you all....
I read the code and found a bit more. So, nonce values are not stored at all as far as I can tell, this was actually my initial thought about nonce values, I just couldn't work out why it wouldn't work across multiple servers.
Turns out the default setup in openser (quite reasonably) is for the secret string used in generating the nonce to be generated at run time. If you use multiple servers it seems necessary to explicitly set the secret the same on all servers
modparam("auth", "secret", "blah")
I wonder if it is worth putting a note about this multiple server issue in the documentation for the 'secret' parameter - might just help people googling/reading docs to solve the problem. :-)
cheers -ben
On Wednesday 12 September 2007, Ben Smithurst wrote:
I wrote:
We have a problem with clients authorizing (whether for INVITE or REGISTER) against a pair of openser servers, served via either round robin A records, or multiple equal preference SRV records.
The problem in a nutshell is
client sends INVITE to server 1 server 1 replies with authorization challenge client sends INVITE with auth to server 2 server 2 doesn't like the 'nonce' value
[..] For the record, and the benefit of anyone searching the archives for a similar problem, I was being stupid. Sorry to bother you all....
I read the code and found a bit more. So, nonce values are not stored at all as far as I can tell, this was actually my initial thought about nonce values, I just couldn't work out why it wouldn't work across multiple servers.
Turns out the default setup in openser (quite reasonably) is for the secret string used in generating the nonce to be generated at run time. If you use multiple servers it seems necessary to explicitly set the secret the same on all servers
modparam("auth", "secret", "blah")
I wonder if it is worth putting a note about this multiple server issue in the documentation for the 'secret' parameter - might just help people googling/reading docs to solve the problem. :-)
Hello Ben,
i've added a note about this topic to the module documentation. However, the use of a shared (and fixed) secret as nonce is insecure, much better is to stay with the default.
Cheers,
Henning
Henning Westerholt wrote:
i've added a note about this topic to the module documentation. However, the use of a shared (and fixed) secret as nonce is insecure, much better is to stay with the default.
ok, thanks.
I will see what the vendors of our nat proxy come back with regarding the problem, as it only seems to happen there, so far.
cheers -ben
-
Ben Smithurst -
Henning Westerholt