[Spce-user] Stale Nonce Workarround in 4.5.1

Kalen Krueger kalen at npinfo.com
Sat Jan 7 12:02:20 EST 2017


Bah... I am silly.  I had a typo... extra ")" after "P-NGCP-Authorization":

  if((status == "401" || status == "407") && is_present_hf("P-NGCP-Authorization")) && !is_present_hf("P-NGCP-Stale"))

Fixed...

  if((status == "401" || status == "407") && is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))

Thank you so much for your help!

-----Original Message-----
From: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Kalen Krueger
Sent: Saturday, January 7, 2017 8:51 AM
To: Matthias Hohl <matthias.hohl at telematica.at>; 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Subject: Re: [Spce-user] Stale Nonce Workarround in 4.5.1

Thank you so much!   I'm still running the old version and my changes look correct.   I will be upgrading to mr3.8.8 this evening, and then will check again.   I assume the upgrade from mr3.8.8 to 4.5.2 is not problematic? 

-----Original Message-----
From: Matthias Hohl [mailto:matthias.hohl at telematica.at] 
Sent: Saturday, January 7, 2017 7:36 AM
To: Kalen Krueger <kalen at npinfo.com>; 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Subject: AW: Stale Nonce Workarround in 4.5.1

Hello,

in version 4.5.2 there is no need anymore for this patch, cause it is included in the SPCE standard configuration.
If you are not on 4.5.2 then it depends if your version has the new kamailio config files or not. (in the new release there is a file called "kamailio.cfg" and "auth.cfg" in the /etc/ngcp-config/templates/etc/kamailio/proxy/ directory).

After editing the config do a ngcpcfg apply

Thats it.

OLD VERSION:
=================

# cp /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.tt2 /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.customtt.tt2
# nano /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.customtt.tt2

1.) Searching for:

                #!ifdef ENABLE_AUTHCHECK
                               if((status == "401" || status == "407") && is_present_hf("P-NGCP-Authorization"))

edit it to:

                               if((status == "401" || status == "407") && is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))


2.) Searching for:

                case -4:
                               xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq-%]\n");
                               break;

edit it to:

                case -4:
                               xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq-%]\n");
                               append_to_reply("P-NGCP-Stale: yes\r\n");
                               break;

=================



NEW VERSION:
=================

# cp /etc/ngcp-config/templates/etc/kamailio/proxy/auth.cfg.tt2 /etc/ngcp-config/templates/etc/kamailio/proxy/auth.cfg.customtt.tt2
# nano /etc/ngcp-config/templates/etc/kamailio/proxy/auth.cfg.customtt.tt2

Searching for:

                case -4:
                               xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq-%]\n");
                               break;

edit it to:

                case -4:
                               xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq-%]\n");
                               append_to_reply("P-NGCP-Stale: yes\r\n");
                               break;

 
# cp /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.tt2 /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.customtt.tt2
# nano /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.customtt.tt2

Searching for:

                #!ifdef ENABLE_AUTHCHECK
                               if((status == "401" || status == "407") && is_present_hf("P-NGCP-Authorization"))

edit it to:

                               if((status == "401" || status == "407") && is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))

=================


-----Ursprüngliche Nachricht-----
Von: Kalen Krueger [mailto:kalen at npinfo.com] 
Gesendet: Samstag, 7. Jänner 2017 15:50
An: Matthias Hohl <matthias.hohl at telematica.at>; 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Betreff: RE: Stale Nonce Workarround in 4.5.1

OK... I educated myself and understand the difference between the customtt.tt2 vs regular .tt2 files now, and have checked the /etc/kamailio/proxy (or lb) files generated with ngcpcfg apply, and they have the changes in them.   I'm just trying to figure out why they don't appear to be working.

-----Original Message-----
From: Kalen Krueger 
Sent: Saturday, January 7, 2017 6:13 AM
To: Kalen Krueger <kalen at npinfo.com>; Matthias Hohl <matthias.hohl at telematica.at>; 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Subject: RE: Stale Nonce Workarround in 4.5.1

I know this list is best effort, so even 60 seconds of help is appreciate.  I'm not sure what files I need to put the fix in now... I'm second guessing myself.   I thought it was /proxy(or lb)/kamailio.cfg.tt2, but now maybe /proxy(or lb)/kamailio.cfg.custom.tt2?

https://lists.sipwise.com/pipermail/spce-user/2014-January/005712.html

I know this is an old issue, but I had starting problems again after the upgrade to mr3.8.4.    I'm planning on upgrading to mr3.8.8 tonight.

Also, there was some discussion about there being a "workaround" built into 4.5.2?

Kalen Krueger | Technical and Project Manager | kalen at npinfo.com
o: 253.852.1543 | d: 253.479.1321 | m: 206.963.1309 NP Information Systems | www.npinfo.com

-----Original Message-----
From: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Kalen Krueger
Sent: Friday, January 6, 2017 12:16 PM
To: Matthias Hohl <matthias.hohl at telematica.at>; 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Subject: Re: [Spce-user] Stale Nonce Workarround in 4.5.1

I upgraded from mr3.7.2 -> mr3.8.4, and the stale nonce workaround I was using no longer appears to be working...

This is what I do with every upgrade... is this correct?

Add the following in /etc/ngcp-config/templates/etc/kamailio/proxy/kamailio.cfg.tt2 to set the "P-NGCP-Stale" variable:

  case -4:
     xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq -%]\n");
     append_to_reply("P-NGCP-Stale: yes\r\n");

In /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.tt2 test if the "P-NGCP-Stale" variable exists:

  #!ifdef ENABLE_AUTHCHECK
     if((status == "401" || status == "407") && is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))

Kalen Krueger | Technical and Project Manager | kalen at npinfo.com
o: 253.852.1543 | d: 253.479.1321 | m: 206.963.1309 NP Information Systems | www.npinfo.com


-----Original Message-----
From: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Matthias Hohl
Sent: Thursday, September 8, 2016 8:38 AM
To: 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Subject: Re: [Spce-user] Stale Nonce Workarround in 4.5.1

Other Things we doing with customtt files, which would be nice to have the option to edit this in the config.yml file:

1.) Extend the Failover Routing Filter:
# cp /etc/ngcp-config/templates/etc/kamailio/proxy/proxy.cfg.tt2 /etc/ngcp-config/templates/etc/kamailio/proxy/proxy.cfg.customtt.tt2
# nano /etc/ngcp-config/templates/etc/kamailio/proxy/proxy.cfg.customtt.tt2
Suchen nach:
route[ROUTE_FILTER_FAILOVER]
{
xlog("L_INFO", "Filter reply code - [% logreq -%]\n");
if(!t_check_status("408|500|503"))

Und editieren nach:
route[ROUTE_FILTER_FAILOVER]
{
xlog("L_INFO", "Filter reply code - [% logreq -%]\n");
if(!t_check_status("403|408|488|500|502|503|504"))


2. Auto generated passwords without special characters:
# nano /usr/share/perl5/NGCP/Panel/Utils/Subscriber.pm
on lines ~ 188 and 195 (mr 3.8.1) you will find something like this:

    if($c->config->{security}->{password_sip_autogenerate}
    && !$params->{password}) { $params->{password} = String::MkPasswd::mkpasswd(
            -length => $passlen,
            -minnum => 1, -minlower => 1, -minupper => 1, -minspecial => 0,
            -distribute => 1, -fatal => 1,
        );
    }

3.) Fraud Prevention interval
Monatslimit:
# cp /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-auto-lock.tt2 /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-auto-lock.customtt.tt2
# nano /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-auto-lock.customtt.tt2
[% IF !is_db -%]#[% END -%]*/30 * * * *  root  if /usr/sbin/ngcp-check_active -q; then /usr/sbin/ngcp-fraud-auto-lock; fi

Tageslimit:
# cp /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-daily-lock.tt2 /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-daily-lock.customtt.tt2
# nano /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-daily-lock.customtt.tt2
[% IF !is_db -%]#[% END -%]*/5 * * * *  root  if /usr/sbin/ngcp-check_active -q; then /usr/sbin/ngcp-fraud-daily-lock; fi


4.) automated invoice generation and sending # nano /etc/ngcp-config/templates/etc/cron.d/ngcp-invoice-gen.customtt.tt2
Kontrollieren ob die Cronjobs alle mit "#" davor sind.
# 5  3 1 * *   root    perl /usr/share/ngcp-panel/tools/generate_invoices.pl --prevmonth 2>&1 >/dev/null
# 5  3 2 * *   root    perl /usr/share/ngcp-panel/tools/generate_invoices.pl --prevmonth --sendonly 2>&1 >/dev/null




-----Ursprüngliche Nachricht-----
Von: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] Im Auftrag von Alex Lutay
Gesendet: Donnerstag, 8. September 2016 10:20
An: spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] Stale Nonce Workarround in 4.5.1

Dear Matthias,

Can you please share "why" do you need this workaround here.

Also to all: feel free to share the reason of customtt you are using.
We do understand that customtt is an "necessary evil" which creates a lot of the issues during upgrades. So we would like to know the weak parts we have to focus on them one day and allow you work without customtt.

Tnx!

On 09/08/2016 01:37 AM, Matthias Hohl wrote:
...
> the stale nonce work-a-round in 4.5.1 is not possible:
...

--
Alex Lutay
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user

________________________________

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user


More information about the Spce-user mailing list