thanx for the reply. what i have understood from ur reply and from googling is that for every authorisation there is a unique nonce (or new nonce), and previous nonce is expired. but i have seen in sip debug on my atserisk cli that :
<br><br>for the first register request, server sends an unauthorisation response with a new nonce like below:<br><br><span style="color: rgb(0, 153, 0);">REGISTER sip:<a href="http://magnum.axvoice.com">magnum.axvoice.com
</a> SIP/2.0</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Via: SIP/2.0/UDP <a href="http://208.120.167.146:80">208.120.167.146:80</a>;branch=z9hG4bK722c974c</span><br style="color: rgb(0, 153, 0);">
<span style="color: rgb(0, 153, 0);">From: <<a href="mailto:sip:bernart48@magnum.axvoice.com">sip:bernart48@magnum.axvoice.com</a>>;tag=as1acc7245</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">
To: <<a href="mailto:sip:bernart48@magnum.axvoice.com">sip:bernart48@magnum.axvoice.com</a>></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Call-ID: <a href="mailto:48f3a8b426c375a161dc1f4479bba956@127.0.0.1">
48f3a8b426c375a161dc1f4479bba956@127.0.0.1</a></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">CSeq: 19710 REGISTER</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">
User-Agent: Asterisk PBX</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Authorization: Digest username="bernart48", realm="asterisk", algorithm=MD5, uri="sip:<a href="http://magnum.axvoice.com">
magnum.axvoice.com</a>", <span style="color: rgb(204, 0, 0);">nonce="325611ed"</span>, response="8105b402d3b955cb65bd9aa8e498cbc8", opaque=""</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">
Expires: 120</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Contact: <sip:16474764942@208.120.167.146:80></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">
Event: registration</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Content-Length: 0</span><br><br><span style="color: rgb(0, 153, 0);"><--- Transmitting (NAT) to <a href="http://208.120.167.146:80">
208.120.167.146:80</a> ---></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">SIP/2.0 401 Unauthorized</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Via: SIP/2.0/UDP
<a href="http://208.120.167.146:80">208.120.167.146:80</a>;branch=z9hG4bK722c974c;received=<a href="http://208.120.167.146">208.120.167.146</a></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">
From: <<a href="mailto:sip:bernart48@magnum.axvoice.com">sip:bernart48@magnum.axvoice.com</a>>;tag=as1acc7245</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">To: <<a href="mailto:sip:bernart48@magnum.axvoice.com">
sip:bernart48@magnum.axvoice.com</a>>;tag=as1d329593</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Call-ID: <a href="mailto:48f3a8b426c375a161dc1f4479bba956@127.0.0.1">48f3a8b426c375a161dc1f4479bba956@127.0.0.1
</a></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">CSeq: 19710 REGISTER</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">User-Agent: Asterisk PBX</span><br style="color: rgb(0, 153, 0);">
<span style="color: rgb(0, 153, 0);">Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Supported: replaces</span><br style="color: rgb(0, 153, 0);">
<span style="color: rgb(0, 153, 0);">WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", <span style="color: rgb(204, 0, 0);">nonce="1312f4b5"</span></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">
Content-Length: 0</span><br><br>Now in the second register request, the nonce which should be used is the one found in latest unauthorisation response recieved from server, but in this case the nonce used is from previous unauthorisation response as shown below.
<br><br><span style="color: rgb(0, 153, 0);"><--- SIP read from <a href="http://208.120.167.146:80">208.120.167.146:80</a> ---></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">REGISTER sip:
<a href="http://magnum.axvoice.com">magnum.axvoice.com</a> SIP/2.0</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Via: SIP/2.0/UDP <a href="http://208.120.167.146:80">208.120.167.146:80</a>;branch=z9hG4bK722c974c
</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">From: <<a href="mailto:sip:bernart48@magnum.axvoice.com">sip:bernart48@magnum.axvoice.com</a>>;tag=as1acc7245</span><br style="color: rgb(0, 153, 0);">
<span style="color: rgb(0, 153, 0);">To: <<a href="mailto:sip:bernart48@magnum.axvoice.com">sip:bernart48@magnum.axvoice.com</a>></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Call-ID:
<a href="mailto:48f3a8b426c375a161dc1f4479bba956@127.0.0.1">48f3a8b426c375a161dc1f4479bba956@127.0.0.1</a></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">CSeq: 19710 REGISTER</span><br style="color: rgb(0, 153, 0);">
<span style="color: rgb(0, 153, 0);">User-Agent: Asterisk PBX</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Authorization: Digest username="bernart48", realm="asterisk", algorithm=MD5, uri="sip:
<a href="http://magnum.axvoice.com">magnum.axvoice.com</a>", <span style="color: rgb(204, 0, 0);">nonce="325611ed"</span>, response="8105b402d3b955cb65bd9aa8e498cbc8", opaque=""</span><br style="color: rgb(0, 153, 0);">
<span style="color: rgb(0, 153, 0);">Expires: 120</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Contact: <sip:16474764942@208.120.167.146:80></span><br style="color: rgb(0, 153, 0);">
<span style="color: rgb(0, 153, 0);">Event: registration</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Content-Length: 0</span><br><br>This causes the asterisk server to send another unauthorisation response with an additional parameter stale in WWW-Authenticate section as shown below
<br><br><span style="color: rgb(0, 153, 0);"><--- Transmitting (NAT) to <a href="http://208.120.167.146:80">208.120.167.146:80</a> ---></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">SIP/2.0 401 Unauthorized
</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Via: SIP/2.0/UDP <a href="http://208.120.167.146:80">208.120.167.146:80</a>;branch=z9hG4bK722c974c;received=<a href="http://208.120.167.146">208.120.167.146
</a></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">From: <<a href="mailto:sip:bernart48@magnum.axvoice.com">sip:bernart48@magnum.axvoice.com</a>>;tag=as1acc7245</span><br style="color: rgb(0, 153, 0);">
<span style="color: rgb(0, 153, 0);">To: <<a href="mailto:sip:bernart48@magnum.axvoice.com">sip:bernart48@magnum.axvoice.com</a>>;tag=as1d329593</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">
Call-ID: <a href="mailto:48f3a8b426c375a161dc1f4479bba956@127.0.0.1">48f3a8b426c375a161dc1f4479bba956@127.0.0.1</a></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">CSeq: 19710 REGISTER</span>
<br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">User-Agent: Asterisk PBX</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Supported: replaces</span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">WWW-Authenticate: Digest algorithm=MD5, realm="asterisk",
<span style="color: rgb(204, 0, 0);">nonce="4f90fab4", stale=true</span></span><br style="color: rgb(0, 153, 0);"><span style="color: rgb(0, 153, 0);">Content-Length: 0</span><br><br>this stale=true field causes the asterisk server to display the following NOTICE on the cli
<br><br><span style="color: rgb(0, 153, 0);">NOTICE[8380]: chan_sip.c:8151 check_auth: Correct auth, but based on stale nonce received from '<<a href="mailto:sip:bernart48@magnum.axvoice.com">sip:bernart48@magnum.axvoice.com
</a>>'</span><br style="color: rgb(0, 153, 0);"><br>and this will continue happening unless the next register request uses the nonce field recieved in latest unauthorisation response from server, and untill then the user agent will not be able to register with the server. This will cause problems in our services.
<br><br>I hope u understand the problem. Sorry for this very long reply. If you know how to deal with this problem then plz share ur solution. I have been facing this problem for 2 weeks now and uptill now i only have found out the reason for this problem. Now is the time for search for the solution.
<br><br>Hope to hear from u soon<br><br><br><div><span class="gmail_quote">On 8/15/07, <b class="gmail_sendername">Stanisław Pitucha</b> <<a href="mailto:stanis@zimbra-1.gradwell.net">stanis@zimbra-1.gradwell.net</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">----- "Rizwan Hisham" <<a href="mailto:rizwanhasham@gmail.com">rizwanhasham@gmail.com
</a>> wrote:<br>> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="584760da"<br><br>> Authorization: Digest username="bernart48", realm="asterisk", algorithm=MD5, uri="
sip:bernart48@64.182.161.2:9060", nonce="584760da", response="948d3923bf2df47eca17c572713af2c7", opaque=""<br><br>> What i dont know, and would very much like to know, is what is the<br>
> purpose of this parameter in sip packets?<br><br>It's kind of challenge algorithm. What you see in "response" is not MD5(password), but MD5('password', 'realm', ..., 'nonce'). Nonce is generated by server so that you don't get the same hash for for every authorization by that user. It prevents someone who can see only one way communication from breaking your sip session + makes breaking hash a little bit harder.
<br>Nonce should be unique per authorization.<br>If nonce wasn't used you could reuse the same response in next connection even if you don't know the real password.<br><br>_______________________________________________
<br>--Bandwidth and Colocation Provided by <a href="http://www.api-digital.com--">http://www.api-digital.com--</a><br><br>asterisk-users mailing list<br>To UNSUBSCRIBE or update options visit:<br> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users">
http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br><br clear="all"><br>-- <br>Best Regards<br>Rizwan Hisham<br>Software Engineer<br>Axvoice Inc.<br><a href="http://www.axvoice.com">www.axvoice.com
</a>