authorization problems with multiple servers

Hi

We have a problem with clients authorizing (whether for
INVITE or
REGISTER) against a pair of openser servers, served via
either round
robin A records, or multiple equal preference SRV records.

The problem in a nutshell is

client sends INVITE to server 1
server 1 replies with authorization challenge
client sends INVITE with auth to server 2
server 2 doesn't like the 'nonce' value

Now, this only happens via our nat proxy, as far as we can
tell, so I
think the problem lies there (and I have contacted the
vendor of that
system).  However I wonder if there is any way to make
openser work in
such a setup, in case other client do the same thing (which
IMO is quite
a stupid thing to do) ... would the valid 'nonce' values
need to be
stored in the DB?

Incidentally we are using mysql authentication and we are
using usrloc
in db_mode 3, with both openser machines pointed at the same
mysql
server.  We're using a pretty recent openser SVN revision
(dev15).

Any tips would be appreciated.

thanks
-ben

-- 
Ben Smithurst
http://www.bensmithurst.
com/

_______________________________________________
Users mailing list
Usersopenser.org
htt
p://openser.org/cgi-bin/mailman/listinfo/users

I wrote:

> We have a problem with clients authorizing (whether for
INVITE or
> REGISTER) against a pair of openser servers, served via
either round
> robin A records, or multiple equal preference SRV
records.
> 
> The problem in a nutshell is
> 
> client sends INVITE to server 1
> server 1 replies with authorization challenge
> client sends INVITE with auth to server 2
> server 2 doesn't like the 'nonce' value
> 
> Now, this only happens via our nat proxy, as far as we
can tell, so I
> think the problem lies there (and I have contacted the
vendor of that
> system).  However I wonder if there is any way to make
openser work in
> such a setup, in case other client do the same thing
(which IMO is quite
> a stupid thing to do) ... would the valid 'nonce'
values need to be
> stored in the DB?
> 
> Incidentally we are using mysql authentication and we
are using usrloc
> in db_mode 3, with both openser machines pointed at the
same mysql
> server.  We're using a pretty recent openser SVN
revision (dev15).

For the record, and the benefit of anyone searching the
archives for a
similar problem, I was being stupid.  Sorry to bother you
all....

I read the code and found a bit more.  So, nonce values are
not stored
at all as far as I can tell, this was actually my initial
thought about
nonce values, I just couldn't work out why it wouldn't work
across
multiple servers.

Turns out the default setup in openser (quite reasonably) is
for the
secret string used in generating the nonce to be generated
at run time.
If you use multiple servers it seems necessary to explicitly
set the
secret the same on all servers

modparam("auth", "secret",
"blah")

I wonder if it is worth putting a note about this multiple
server issue
in the documentation for the 'secret' parameter - might just
help people
googling/reading docs to solve the problem. 

cheers
-ben

-- 
Ben Smithurst
http://www.bensmithurst.
com/

_______________________________________________
Users mailing list
Usersopenser.org
htt
p://openser.org/cgi-bin/mailman/listinfo/users

On Wednesday 12 September 2007, Ben Smithurst wrote:
> I wrote:
> > We have a problem with clients authorizing
(whether for INVITE or
> > REGISTER) against a pair of openser servers,
served via either round
> > robin A records, or multiple equal preference SRV
records.
> >
> > The problem in a nutshell is
> >
> > client sends INVITE to server 1
> > server 1 replies with authorization challenge
> > client sends INVITE with auth to server 2
> > server 2 doesn't like the 'nonce' value
> [..]
> For the record, and the benefit of anyone searching the
archives for a
> similar problem, I was being stupid.  Sorry to bother
you all....
>
> I read the code and found a bit more.  So, nonce values
are not stored
> at all as far as I can tell, this was actually my
initial thought about
> nonce values, I just couldn't work out why it wouldn't
work across
> multiple servers.
>
> Turns out the default setup in openser (quite
reasonably) is for the
> secret string used in generating the nonce to be
generated at run time.
> If you use multiple servers it seems necessary to
explicitly set the
> secret the same on all servers
>
> modparam("auth", "secret",
"blah")
>
> I wonder if it is worth putting a note about this
multiple server issue
> in the documentation for the 'secret' parameter - might
just help people
> googling/reading docs to solve the problem. 

Hello Ben,

i've added a note about this topic to the module
documentation. However, the 
use of a shared (and fixed) secret as nonce is insecure,
much better is to 
stay with the default. 

Cheers,

Henning

_______________________________________________
Users mailing list
Usersopenser.org
htt
p://openser.org/cgi-bin/mailman/listinfo/users

Henning Westerholt wrote:

> i've added a note about this topic to the module
documentation. However, the 
> use of a shared (and fixed) secret as nonce is
insecure, much better is to 
> stay with the default. 

ok, thanks.

I will see what the vendors of our nat proxy come back with
regarding
the problem, as it only seems to happen there, so far.

cheers
-ben

-- 
Ben Smithurst
http://www.bensmithurst.
com/

_______________________________________________
Users mailing list
Usersopenser.org
htt
p://openser.org/cgi-bin/mailman/listinfo/users