You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
In AOR throttling mode, OpenSIPS accepts registration without authentication from the second device if the registration request is sent within the expire time.
To Reproduce
Enable mode 2 and use default mid_registrar config
If a new REGISTER comes from another source, should we forward it to the registrar to authenticate it?
Or is the current behaviour expected and I should do something in script?
The text was updated successfully, but these errors were encountered:
asolovjov
changed the title
[BUG] mid_registrar allows registration without authentification in AOR throttling mode (security issue?)
[BUG] mid_registrar allows registration without authentication in AOR throttling mode (security issue?)
Sep 15, 2023
@asolovjov , the mid_registrar (similar to registrar module) is authentication agnostic - what kind of auth policy (on main server, on mid-reg server) you want to have, you need to script it.
In your case, the main server (behind the mid-registrar) is handling the auth, so it should cover all the cases.
@bogdan-iancu Thank you for looking at this issue.
Problem is that when a new REGISTER from another device comes within expire time and we call mid_registrar_save it immediately replies with 200 OK so we can't script anything here, it doesn't make sense to forward it We can use registrar module but then we'll just rewrite the mid_registrar logic in script and it won't be needed at all.
I guess there should be a function similar to is_contact_registered in the registrar module or mid_registrar_save should return some other code so we could decide whether to forward REGISTER.
Just to clarify. This is related only to mode 2 (AOR throttling). In mode 1, mid_registrar works as expected, simply adding a ctid for each new contact, and we forward it to the main registrar.
Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.
OpenSIPS version you are running
Describe the bug
In AOR throttling mode, OpenSIPS accepts registration without authentication from the second device if the registration request is sent within the expire time.
To Reproduce
Enable mode 2 and use default mid_registrar config
Send register request from some client. I use sipexer:
Here OpenSIPS forwards all requests to main registrar (which asks for auth) and replies as usual and saves contact to user location table.
Then immedeately send REGISTER with the same user from some other place.
mid_registrar_save returns 2 and replies OK without any auth. New contact is added to user location table without auth.
Expected behavior
If a new REGISTER comes from another source, should we forward it to the registrar to authenticate it?
Or is the current behaviour expected and I should do something in script?
The text was updated successfully, but these errors were encountered: