Daniel-Constantin Mierla-6 wrote > I looked at the code and the system time is used (not the the internal > value). Therefore, after detecting and invalid nonce, if you do > challenge again, a nonce with the right time should be generated and > used for authentication. > > Look at sip trace to see if nonce is regenerated and run with debug=3 to > get more log message that would help to investigate better. > > Cheers, > Daniel > > On 20/08/15 10:05, Daniel-Constantin Mierla wrote: >> Hello, >> >> probably the module is using the time computed internally as start time >> plus elapsed seconds (counted internally). We can introduce an option to >> use the system time, which may add a bit of delay, but really >> insignificant. I will look into it these days. >> >> Cheers, >> Daniel >> >> >> On 18/08/15 22:44, Vasiliy Ganchev wrote: >>> Hi list! >>> (sorry for sending first mail to wrong sub forum) >>> Have a following issue: >>> Server with Kamailio restart with wrong time (why - this is separate >>> part of >>> my investigations), timeshift e.g. for 2 hours in feature. >>> After ntp daemon adjust correct time (move time backwards), Kamailio do >>> not >>> accept REGISTERs, pv_www_authenticate answer with code -4 (nonce >>> expired) >>> >>> I've reade the description of: >>> http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_expire >>> and >>> http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_auth_max_drift >>> >>> This descriptions mention situation with backwards timeshift from >>> future. >>> As I understand, Kamailio do not authorise the registration, whose >>> nonces >>> where generated in future (before ntp shifted the time). But in my >>> tests, >>> Kamailio do not accept even REGISTER from UA, sent after time shift >>> (with >>> new nonces, that as I expected has to use correct time for nonce >>> generation, >>> and be authorised with no problem). >>> >>> Only Kamailio process restart help to cope with the issue. >>> >>> It looks like for nonce generating Kamailio use old time (in feature, >>> that >>> was before timeshift). >>> >>> I wander, does the Kamailio behave in described case - as is expected? >>> If I >>> am wrong in some of my assumptions, please point out. >>> >>> version: kamailio 4.2.5 >>> >>> Thank in advance! >>> Cheers! >>> >>> >>> >>> >>> -- >>> View this message in context: >>> http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-after-backwards-time-shift-tp140536.html >>> Sent from the Users mailing list archive at Nabble.com. >>> >>> _______________________________________________ >>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >>>
> sr-users@.sip-router >>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > -- > Daniel-Constantin Mierla > http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda > Book: SIP Routing With Kamailio - http://www.asipto.com > > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@.sip-router > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users Hi Daniel! I dig into sources and found one interesting point: https://github.com/kamailio/kamailio/blob/4.2/modules/auth/nonce.c#L370 Here Kamailio has a check: / if (unlikely(since < up_since)) { /* if valid_since time is time pointing before ser was started * then we consider nonce as stalled. It may be the nonce generated by previous ser instance having different length (for example because of different auth. checks).. Therefore we force credentials to be rebuilt by UAC without prompting for password */ return 4; }/ And in my case: - up_since -> time in future (2 hours later) - since -> current time (correct) The check /if (unlikely(since < up_since))/ will /return 4/ as a result. This is exactly what I have. As a workaround I exclude this check. Tested registrations/calls (when the big backward time shift happened) - work. But, I wander, if there is a theoretically better way how to solve the problem. (may be some periodical check, that will compare current time and up_since time and if backward shift - pull up_since to the current time, or something different). Anyway thanks for suggestions! Cheers! -- View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-after-backwards-time-shift-tp140536p140667.html Sent from the Users mailing list archive at Nabble.com. _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
