subject:"\[OpenSIPS\-Users\] Issue with stir and shaken crl

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2024-05-30 Thread Srigo Kanapathipillai

Hi,

I'm currently working on the integration of MAN (French Stir/Shaken) on our
Opensips. I'm facing the same issue with Opensips
"stir_shaken:verify_callback: certificate validation failed: unable to get
certificate CRL" when calling stir_shaken_verify() function.

This is how I'm loading my CRL and CA:

modparam("stir_shaken", "crl_dir",
"/etc/opensips/stir_shaken_certificates/all_certifs/")
modparam("stir_shaken", "ca_dir",
"/etc/opensips/stir_shaken_certificates/all_certifs/")

and my contents directory:

[srigo@lab:/etc/opensips/stir_shaken_certificates/all_certifs]# ls -l
total 80
lrwxrwxrwx 1 opensips opensips12 May 20 20:48 10f93d74.0 -> bpco_pa2.pem
lrwxrwxrwx 1 opensips opensips12 May 20 20:48 155d6a90.0 -> bpco_pa1.pem
lrwxrwxrwx 1 opensips opensips22 May 20 20:48 155d6a90.r0 ->
bpco_crl_operateur.pem
lrwxrwxrwx 1 opensips opensips12 May 20 20:48 1df87289.0 -> bpco_ca1.pem
lrwxrwxrwx 1 opensips opensips 7 May 20 20:48 6c2f9df7.0 -> ipd.pem
lrwxrwxrwx 1 opensips opensips11 May 20 20:48 b519955b.0 -> bpco_r1.pem
lrwxrwxrwx 1 opensips opensips15 May 20 20:48 b519955b.r0 ->
bpco_crl_ca.pem
-rw-rw-r-- 1 opensips opensips  1180 May 20 19:24 bpco_ca1.pem
-rw-rw-r-- 1 opensips opensips  1180 May 20 20:23 bpco_ca2.pem
-rw-rw-r-- 1 opensips opensips   552 May 20 19:24 bpco_crl_ca.pem
-rw-rw-r-- 1 opensips opensips 87608 May 20 19:25 bpco_crl_operateur.pem
-rw-rw-r-- 1 opensips opensips  1135 May 20 19:23 bpco_pa1.pem
-rw-rw-r-- 1 opensips opensips  1135 May 20 20:22 bpco_pa2.pem
-rw-rw-r-- 1 opensips opensips   810 May 20 19:24 bpco_r1.pem
lrwxrwxrwx 1 opensips opensips12 May 20 20:48 cbdd0bbc.0 -> bpco_ca2.pem
-rw-rw-r-- 1 opensips opensips  1281 May 20 20:48 ipd.pem

I have tried with crl_list and ca_list by concatening my CAs and my CRLs
but getting same errors.

If anyone faced the same issue and solved it or an idea how to solve it.
Please share it.

Thanks
Srigo

Le mar. 1 août 2023 à 16:08, Alain Bieuzent  a
écrit :

> Thaks Razvan, it's done
>
> Le 01/08/2023 15:35, « Users au nom de Răzvan Crainea » <
> users-boun...@lists.opensips.org 
> au nom de raz...@opensips.org > a écrit :
>
>
> Hi, Alain!
>
>
> You are actually right, it looks like the crl_list and ca_dir cannot be
> dynamic :(. Could you please open a feature request for this, so we can
> keep them right, perhaps change them to a tls_mgm domain?
>
>
> Best regards,
>
>
> Răzvan Crainea
> OpenSIPS Core Developer / SIPhub CTO
> http://www.opensips-solutions.com  /
> https://www.siphub.com 
>
>
> On 7/28/23 16:45, Alain Bieuzent wrote:
> > sorry I wrote nonsense (again...)
> > In the French implementation of STIR/SHAKEN we must download certificate
> updates every day (only for crl_list).
> > In stir_shaken module documentation , there is no explanation how to put
> crl_list in db.
> >
> > Regards
> >
> >
> > Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <
> users-boun...@lists.opensips.org 
> > au nom de alain.bieuz...@free.fr
>  >> a écrit :
> >
> >
> > Hi Razvan,
> >
> >
> > I work on the same project as Mickael and we don't understand how the
> tls_mgm can help us in this case.
> > In the French implementation of STIR/SHAKEN we must download certificate
> updates every day (ca_list and crl_list).
> > How can these updates be considered in real time?
> >
> >
> > Regards
> >
> >
> > Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <
> users-boun...@lists.opensips.org 
> >  users-boun...@lists.opensips.org 
> >> au nom de raz...@opensips.org  raz...@opensips.org> >   >
> >
> >
> >
> > Hi, Mickael!
> >
> >
> >
> >
> > The only way is to store certificates in database and reload the tls_mgm
> > module (using tls_reload).
> >
> >
> >
> >
> > Best regards,
> >
> >
> >
> >
> > Răzvan Crainea
> > OpenSIPS Core Developer / SIPhub CTO
> > http://www.opensips-solutions.com  <
> http://www.opensips-solutions.com> 
>  
>  
> 
> / https://www.siphub.com  
>   <
>

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-08-01 Thread Alain Bieuzent

Thaks Razvan, it's done

Le 01/08/2023 15:35, « Users au nom de Răzvan Crainea » 
mailto:users-boun...@lists.opensips.org> au 
nom de raz...@opensips.org > a écrit :


Hi, Alain!


You are actually right, it looks like the crl_list and ca_dir cannot be 
dynamic :(. Could you please open a feature request for this, so we can 
keep them right, perhaps change them to a tls_mgm domain?


Best regards,


Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com  / 
https://www.siphub.com 


On 7/28/23 16:45, Alain Bieuzent wrote:
> sorry I wrote nonsense (again...)
> In the French implementation of STIR/SHAKEN we must download certificate 
> updates every day (only for crl_list).
> In stir_shaken module documentation , there is no explanation how to put 
> crl_list in db.
> 
> Regards
> 
> 
> Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » 
> mailto:users-boun...@lists.opensips.org> 
>  > au nom de alain.bieuz...@free.fr 
>   >> a écrit :
> 
> 
> Hi Razvan,
> 
> 
> I work on the same project as Mickael and we don't understand how the tls_mgm 
> can help us in this case.
> In the French implementation of STIR/SHAKEN we must download certificate 
> updates every day (ca_list and crl_list).
> How can these updates be considered in real time?
> 
> 
> Regards
> 
> 
> Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » 
> mailto:users-boun...@lists.opensips.org> 
>  > 
>   
>  >> au nom de raz...@opensips.org 
>   >     
> 
> 
> 
> Hi, Mickael!
> 
> 
> 
> 
> The only way is to store certificates in database and reload the tls_mgm
> module (using tls_reload).
> 
> 
> 
> 
> Best regards,
> 
> 
> 
> 
> Răzvan Crainea
> OpenSIPS Core Developer / SIPhub CTO
> http://www.opensips-solutions.com  
>   
>   
>  
>  / https://www.siphub.com 
>   
>   
>   
> 
> 
> 
> 
> 
> On 7/26/23 16:38, Mickael Hubert wrote:
>> Hi Razvan,
>> another question about crl_list, when crl list changed, what is the best
>> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
>> I know the crl_list can change each day, so if I have to restart
>> opensips each day, it's not very practical.
>>
>> thanks in advance
>>
>> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert >  > > >  > >>
>>  
>> > 
>>  
>>  a écrit :
>>
>> Hi Razvan,
>> Thanks a lot.
>> I loaded the CRL for CA and certs and opensips start correctly ;)
>>
>> Have a good day !
>>
>> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea >  > > >  > >>
>>  
>> > 
>>  
>>  a écrit :
>>
>> Hi, Mickael!
>>
>> I don't have much experience with this, but a first search would
>> point
>> to this [1] answer, which seems reasonable to me: you need to
>> provide
>> the CRL of the entire path, not only of your intermediate cert.
>> Did you
>> try that?
>>
>> [1] https://stackoverflow.com/a/47398918 
>>  
>>  
>>  
>>  
>>

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-08-01 Thread Răzvan Crainea

Hi, Alain!

You are actually right, it looks like the crl_list and ca_dir cannot be 
dynamic :(. Could you please open a feature request for this, so we can 
keep them right, perhaps change them to a tls_mgm domain?

Best regards,

Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com / https://www.siphub.com

On 7/28/23 16:45, Alain Bieuzent wrote:

sorry I wrote nonsense (again...)
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (only for crl_list).
In stir_shaken module documentation , there is no explanation how to put 
crl_list in db.

Regards

Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » mailto:users-boun...@lists.opensips.org> au nom de alain.bieuz...@free.fr 
> a écrit :

Hi Razvan,

I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?

Regards

Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » mailto:users-boun...@lists.opensips.org> > au nom de raz...@opensips.org  
>> a écrit :

Hi, Mickael!

The only way is to store certificates in database and reload the tls_mgm
module (using tls_reload).

Best regards,

Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com   
 / https://www.siphub.com  

On 7/26/23 16:38, Mickael Hubert wrote:

Hi Razvan,
another question about crl_list, when crl list changed, what is the best
way to reload this list in OpenSIPS memory ? restart it ? or another way ?
I know the crl_list can change each day, so if I have to restart
opensips each day, it's not very practical.

thanks in advance

Le mar. 25 juil. 2023 à 14:47, Mickael Hubert mailto:mick...@winlux.fr> 
>
  >

Best regards,

Răzvan Crainea
OpenSIPS Core Developer
http://www.opensips-solutions.com  

On 7/19/23 15:47, Mickael Hubert wrote:

Hi all,
I'm working on stir and shaken, and I want to include all

revoked

certificates.
I my list in DER format, I use this command to transform it

to PEM format:

openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem

there is no erreur, I can read pem format (crl.pem):
-BEGIN X509 CRL-

-END X509 CRL-

I configured opensips with this:
modparam("stir_shaken", "crl_list",

"/etc/opensips/stir-shaken-ca/crl.pem")

but I have an error:
ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:

certificate

validation failed: unable to get certificate CRL
Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid

certificate

Can you tell me, what is exactly the correct format please ?

Thanks in advance !
++

___
Users mailing list
Users@lists.opensips.org  >  
>>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-28 Thread Alain Bieuzent

Of course we will reload only there is a change ….

 

De : Users  au nom de David Villasmil 

Répondre à : OpenSIPS users mailling list 
Date : vendredi 28 juillet 2023 à 16:21
À : OpenSIPS users mailling list 
Objet : Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

 

Every day??? Does it CHANGE everyday? Maybe just check if it’s changed the 
reload only if it has. Seems very excessive to make that mandatory.

 

On Fri, 28 Jul 2023 at 15:46, Alain Bieuzent  wrote:

sorry I wrote nonsense (again...)
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (only for crl_list).
In stir_shaken module documentation , there is no explanation how to put 
crl_list in db.

Regards


Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » 
mailto:users-boun...@lists.opensips.org> au 
nom de alain.bieuz...@free.fr <mailto:alain.bieuz...@free.fr>> a écrit :


Hi Razvan,


I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?


Regards


Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » 
mailto:users-boun...@lists.opensips.org> 
<mailto:users-boun...@lists.opensips.org 
<mailto:users-boun...@lists.opensips.org>> au nom de raz...@opensips.org 
<mailto:raz...@opensips.org> <mailto:raz...@opensips.org 
<mailto:raz...@opensips.org>>> a écrit :




Hi, Mickael!




The only way is to store certificates in database and reload the tls_mgm 
module (using tls_reload).




Best regards,




Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com <http://www.opensips-solutions.com> 
<http://www.opensips-solutions.com> <http://www.opensips-solutions.com;> / 
https://www.siphub.com <https://www.siphub.com> <https://www.siphub.com> 
<https://www.siphub.com;>




On 7/26/23 16:38, Mickael Hubert wrote:
> Hi Razvan,
> another question about crl_list, when crl list changed, what is the best 
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
> I know the crl_list can change each day, so if I have to restart 
> opensips each day, it's not very practical.
> 
> thanks in advance
> 
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert  <mailto:mick...@winlux.fr> <mailto:mick...@winlux.fr 
> <mailto:mick...@winlux.fr>> 
> <mailto:mick...@winlux.fr <mailto:mick...@winlux.fr> 
> <mailto:mick...@winlux.fr <mailto:mick...@winlux.fr>>>> a écrit :
> 
> Hi Razvan,
> Thanks a lot.
> I loaded the CRL for CA and certs and opensips start correctly ;)
> 
> Have a good day !
> 
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea  <mailto:raz...@opensips.org> <mailto:raz...@opensips.org 
> <mailto:raz...@opensips.org>>
> <mailto:raz...@opensips.org <mailto:raz...@opensips.org> 
> <mailto:raz...@opensips.org <mailto:raz...@opensips.org>>>> a écrit :
> 
> Hi, Mickael!
> 
> I don't have much experience with this, but a first search would
> point
> to this [1] answer, which seems reasonable to me: you need to
> provide
> the CRL of the entire path, not only of your intermediate cert.
> Did you
> try that?
> 
> [1] https://stackoverflow.com/a/47398918 
> <https://stackoverflow.com/a/47398918> <https://stackoverflow.com/a/47398918> 
> <https://stackoverflow.com/a/47398918;>
> <https://stackoverflow.com/a/47398918> 
> <https://stackoverflow.com/a/47398918;> 
> <https://stackoverflow.com/a/47398918;> 
> <https://stackoverflow.com/a/47398918gt;;>
> 
> Best regards,
> 
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com <http://www.opensips-solutions.com> 
> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com;>
> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com;> 
> <http://www.opensips-solutions.com;> 
> <http://www.opensips-solutions.comgt;;>
> 
> On 7/19/23 15:47, Mickael Hubert wrote:
> > Hi all,
> > I'm working on stir and shaken, and I want to include all
> revoked
> > certificates.
> > I my list in DER format, I use this command to transform it
> to PEM format:
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >
> > there is no erreur, I can read pem format (crl.pem):
> > -BEGIN X509 CRL-
> > 
> > -END X509 CRL-
> >
> > I configured opensips with this:
> > modparam("stir_shaken", "crl_list",
> "/etc/op

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-28 Thread David Villasmil

Every day??? Does it CHANGE everyday? Maybe just check if it’s changed the
reload only if it has. Seems very excessive to make that mandatory.

On Fri, 28 Jul 2023 at 15:46, Alain Bieuzent  wrote:

> sorry I wrote nonsense (again...)
> In the French implementation of STIR/SHAKEN we must download certificate
> updates every day (only for crl_list).
> In stir_shaken module documentation , there is no explanation how to put
> crl_list in db.
>
> Regards
>
>
> Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <
> users-boun...@lists.opensips.org 
> au nom de alain.bieuz...@free.fr > a écrit
> :
>
>
> Hi Razvan,
>
>
> I work on the same project as Mickael and we don't understand how the
> tls_mgm can help us in this case.
> In the French implementation of STIR/SHAKEN we must download certificate
> updates every day (ca_list and crl_list).
> How can these updates be considered in real time?
>
>
> Regards
>
>
> Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <
> users-boun...@lists.opensips.org 
> > au nom de raz...@opensips.org  raz...@opensips.org> >> a écrit :
>
>
>
>
> Hi, Mickael!
>
>
>
>
> The only way is to store certificates in database and reload the tls_mgm
> module (using tls_reload).
>
>
>
>
> Best regards,
>
>
>
>
> Răzvan Crainea
> OpenSIPS Core Developer / SIPhub CTO
> http://www.opensips-solutions.com  <
> http://www.opensips-solutions.com> 
> / https://www.siphub.com  
> 
>
>
>
>
> On 7/26/23 16:38, Mickael Hubert wrote:
> > Hi Razvan,
> > another question about crl_list, when crl list changed, what is the best
> > way to reload this list in OpenSIPS memory ? restart it ? or another way
> ?
> > I know the crl_list can change each day, so if I have to restart
> > opensips each day, it's not very practical.
> >
> > thanks in advance
> >
> > Le mar. 25 juil. 2023 à 14:47, Mickael Hubert   >
> >   mick...@winlux.fr  >
> > Hi Razvan,
> > Thanks a lot.
> > I loaded the CRL for CA and certs and opensips start correctly ;)
> >
> > Have a good day !
> >
> > Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea   >
> >   raz...@opensips.org  >
> > Hi, Mickael!
> >
> > I don't have much experience with this, but a first search would
> > point
> > to this [1] answer, which seems reasonable to me: you need to
> > provide
> > the CRL of the entire path, not only of your intermediate cert.
> > Did you
> > try that?
> >
> > [1] https://stackoverflow.com/a/47398918 <
> https://stackoverflow.com/a/47398918> <
> https://stackoverflow.com/a/47398918> <
> https://stackoverflow.com/a/47398918;>
> >  <
> https://stackoverflow.com/a/47398918;> <
> https://stackoverflow.com/a/47398918;> <
> https://stackoverflow.com/a/47398918gt;;>
> >
> > Best regards,
> >
> > Răzvan Crainea
> > OpenSIPS Core Developer
> > http://www.opensips-solutions.com  <
> http://www.opensips-solutions.com> 
> >  
>   gt;>
> >
> > On 7/19/23 15:47, Mickael Hubert wrote:
> > > Hi all,
> > > I'm working on stir and shaken, and I want to include all
> > revoked
> > > certificates.
> > > I my list in DER format, I use this command to transform it
> > to PEM format:
> > > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> > >
> > > there is no erreur, I can read pem format (crl.pem):
> > > -BEGIN X509 CRL-
> > > 
> > > -END X509 CRL-
> > >
> > > I configured opensips with this:
> > > modparam("stir_shaken", "crl_list",
> > "/etc/opensips/stir-shaken-ca/crl.pem")
> > >
> > > but I have an error:
> > > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> > certificate
> > > validation failed: unable to get certificate CRL
> > > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> > certificate
> > >
> > > Can you tell me, what is exactly the correct format please ?
> > >
> > > Thanks in advance !
> > > ++
> > >
> > > ___
> > > Users mailing list
> > > Users@lists.opensips.org   Users@lists.opensips.org >  Users@lists.opensips.org

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-28 Thread Alain Bieuzent

sorry I wrote nonsense (again...)
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (only for crl_list).
In stir_shaken module documentation , there is no explanation how to put 
crl_list in db.

Regards


Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » 
mailto:users-boun...@lists.opensips.org> au 
nom de alain.bieuz...@free.fr > a écrit :


Hi Razvan,


I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?


Regards


Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » 
mailto:users-boun...@lists.opensips.org> 
> au nom de raz...@opensips.org 
 >> a écrit :




Hi, Mickael!




The only way is to store certificates in database and reload the tls_mgm 
module (using tls_reload).




Best regards,




Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com  
  / 
https://www.siphub.com   





On 7/26/23 16:38, Mickael Hubert wrote:
> Hi Razvan,
> another question about crl_list, when crl list changed, what is the best 
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
> I know the crl_list can change each day, so if I have to restart 
> opensips each day, it's not very practical.
> 
> thanks in advance
> 
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert    > 
>  
>  
> Hi Razvan,
> Thanks a lot.
> I loaded the CRL for CA and certs and opensips start correctly ;)
> 
> Have a good day !
> 
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea    >
>  
>  
> Hi, Mickael!
> 
> I don't have much experience with this, but a first search would
> point
> to this [1] answer, which seems reasonable to me: you need to
> provide
> the CRL of the entire path, not only of your intermediate cert.
> Did you
> try that?
> 
> [1] https://stackoverflow.com/a/47398918 
>   
> 
>  
>  
>  
> 
> 
> Best regards,
> 
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com  
>  
>   
>  
> 
> 
> On 7/19/23 15:47, Mickael Hubert wrote:
> > Hi all,
> > I'm working on stir and shaken, and I want to include all
> revoked
> > certificates.
> > I my list in DER format, I use this command to transform it
> to PEM format:
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >
> > there is no erreur, I can read pem format (crl.pem):
> > -BEGIN X509 CRL-
> > 
> > -END X509 CRL-
> >
> > I configured opensips with this:
> > modparam("stir_shaken", "crl_list",
> "/etc/opensips/stir-shaken-ca/crl.pem")
> >
> > but I have an error:
> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> certificate
> > validation failed: unable to get certificate CRL
> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> certificate
> >
> > Can you tell me, what is exactly the correct format please ?
> >
> > Thanks in advance !
> > ++
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org  
> > > 
> >  
> > >>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
> >  
> >  
> > 
>

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-28 Thread Alain Bieuzent

Hi Razvan,

I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?

Regards

Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » 
mailto:users-boun...@lists.opensips.org> au 
nom de raz...@opensips.org > a écrit :


Hi, Mickael!


The only way is to store certificates in database and reload the tls_mgm 
module (using tls_reload).


Best regards,


Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com  / 
https://www.siphub.com 


On 7/26/23 16:38, Mickael Hubert wrote:
> Hi Razvan,
> another question about crl_list, when crl list changed, what is the best 
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
> I know the crl_list can change each day, so if I have to restart 
> opensips each day, it's not very practical.
> 
> thanks in advance
> 
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert   
> >> a écrit :
> 
> Hi Razvan,
> Thanks a lot.
> I loaded the CRL for CA and certs and opensips start correctly ;)
> 
> Have a good day !
> 
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea  
> >> a écrit :
> 
> Hi, Mickael!
> 
> I don't have much experience with this, but a first search would
> point
> to this [1] answer, which seems reasonable to me: you need to
> provide
> the CRL of the entire path, not only of your intermediate cert.
> Did you
> try that?
> 
> [1] https://stackoverflow.com/a/47398918 
> 
>  
> 
> 
> Best regards,
> 
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com 
>  
> 
> On 7/19/23 15:47, Mickael Hubert wrote:
> > Hi all,
> > I'm working on stir and shaken, and I want to include all
> revoked
> > certificates.
> > I my list in DER format, I use this command to transform it
> to PEM format:
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >
> > there is no erreur, I can read pem format (crl.pem):
> > -BEGIN X509 CRL-
> > 
> > -END X509 CRL-
> >
> > I configured opensips with this:
> > modparam("stir_shaken", "crl_list",
> "/etc/opensips/stir-shaken-ca/crl.pem")
> >
> > but I have an error:
> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> certificate
> > validation failed: unable to get certificate CRL
> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> certificate
> >
> > Can you tell me, what is exactly the correct format please ?
> >
> > Thanks in advance !
> > ++
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org  
> > >
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
> > 
>  
> 
> 
> ___
> Users mailing list
> Users@lists.opensips.org  
> >
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
> 
>  
> 
> 
> 
> ___
> Users mailing list
> Users@lists.opensips.org 
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
> 


___
Users mailing list
Users@lists.opensips.org 
http://lists.opensips.org/cgi-bin/mailman/listinfo/users 






___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-27 Thread Răzvan Crainea

Hi, Mickael!

The only way is to store certificates in database and reload the tls_mgm 
module (using tls_reload).

Best regards,

Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com / https://www.siphub.com

On 7/26/23 16:38, Mickael Hubert wrote:

Hi Razvan,
another question about crl_list, when crl list changed, what is the best 
way to reload this list in OpenSIPS memory ? restart it ? or another way ?
I know the crl_list can change each day, so if I have to restart 
opensips each day, it's not very practical.

thanks in advance

Le mar. 25 juil. 2023 à 14:47, Mickael Hubert > a écrit :

Hi Razvan,
Thanks a lot.
I loaded the CRL for CA and certs and opensips start correctly ;)

Have a good day !

Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea mailto:raz...@opensips.org>> a écrit :

Hi, Mickael!

I don't have much experience with this, but a first search would
point
to this [1] answer, which seems reasonable to me: you need to
provide
the CRL of the entire path, not only of your intermediate cert.
Did you
try that?

[1] https://stackoverflow.com/a/47398918

Best regards,

Răzvan Crainea
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 7/19/23 15:47, Mickael Hubert wrote:
 > Hi all,
 > I'm working on stir and shaken, and I want to include all
revoked
 > certificates.
 > I my list in DER format, I use this command to transform it
to PEM format:
 > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
 >
 > there is no erreur, I can read pem format (crl.pem):
 > -BEGIN X509 CRL-
 > 
 > -END X509 CRL-
 >
 > I configured opensips with this:
 > modparam("stir_shaken", "crl_list",
"/etc/opensips/stir-shaken-ca/crl.pem")
 >
 > but I have an error:
 > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
certificate
 > validation failed: unable to get certificate CRL
 > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
certificate
 >
 > Can you tell me, what is exactly the correct format please ?
 >
 > Thanks in advance !
 > ++
 >
 > ___
 > Users mailing list
 > Users@lists.opensips.org 
 > http://lists.opensips.org/cgi-bin/mailman/listinfo/users

___
Users mailing list
Users@lists.opensips.org 
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-26 Thread Mickael Hubert

Hi Razvan,
another question about crl_list, when crl list changed, what is the best
way to reload this list in OpenSIPS memory ? restart it ? or another way ?
I know the crl_list can change each day, so if I have to restart opensips
each day, it's not very practical.

thanks in advance

Le mar. 25 juil. 2023 à 14:47, Mickael Hubert  a écrit :

> Hi Razvan,
> Thanks a lot.
> I loaded the CRL for CA and certs and opensips start correctly ;)
>
> Have a good day !
>
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea  a
> écrit :
>
>> Hi, Mickael!
>>
>> I don't have much experience with this, but a first search would point
>> to this [1] answer, which seems reasonable to me: you need to provide
>> the CRL of the entire path, not only of your intermediate cert. Did you
>> try that?
>>
>> [1] https://stackoverflow.com/a/47398918
>>
>> Best regards,
>>
>> Răzvan Crainea
>> OpenSIPS Core Developer
>> http://www.opensips-solutions.com
>>
>> On 7/19/23 15:47, Mickael Hubert wrote:
>> > Hi all,
>> > I'm working on stir and shaken, and I want to include all revoked
>> > certificates.
>> > I my list in DER format, I use this command to transform it to
>> PEM format:
>> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
>> >
>> > there is no erreur, I can read pem format (crl.pem):
>> > -BEGIN X509 CRL-
>> > 
>> > -END X509 CRL-
>> >
>> > I configured opensips with this:
>> > modparam("stir_shaken", "crl_list",
>> "/etc/opensips/stir-shaken-ca/crl.pem")
>> >
>> > but I have an error:
>> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback: certificate
>> > validation failed: unable to get certificate CRL
>> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid certificate
>> >
>> > Can you tell me, what is exactly the correct format please ?
>> >
>> > Thanks in advance !
>> > ++
>> >
>> > ___
>> > Users mailing list
>> > Users@lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-25 Thread Mickael Hubert

Hi Razvan,
Thanks a lot.
I loaded the CRL for CA and certs and opensips start correctly ;)

Have a good day !

Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea  a
écrit :

> Hi, Mickael!
>
> I don't have much experience with this, but a first search would point
> to this [1] answer, which seems reasonable to me: you need to provide
> the CRL of the entire path, not only of your intermediate cert. Did you
> try that?
>
> [1] https://stackoverflow.com/a/47398918
>
> Best regards,
>
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com
>
> On 7/19/23 15:47, Mickael Hubert wrote:
> > Hi all,
> > I'm working on stir and shaken, and I want to include all revoked
> > certificates.
> > I my list in DER format, I use this command to transform it to
> PEM format:
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >
> > there is no erreur, I can read pem format (crl.pem):
> > -BEGIN X509 CRL-
> > 
> > -END X509 CRL-
> >
> > I configured opensips with this:
> > modparam("stir_shaken", "crl_list",
> "/etc/opensips/stir-shaken-ca/crl.pem")
> >
> > but I have an error:
> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback: certificate
> > validation failed: unable to get certificate CRL
> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid certificate
> >
> > Can you tell me, what is exactly the correct format please ?
> >
> > Thanks in advance !
> > ++
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-24 Thread Răzvan Crainea


Hi, Mickael!

I don't have much experience with this, but a first search would point 
to this [1] answer, which seems reasonable to me: you need to provide 
the CRL of the entire path, not only of your intermediate cert. Did you 
try that?


[1] https://stackoverflow.com/a/47398918

Best regards,

Răzvan Crainea
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 7/19/23 15:47, Mickael Hubert wrote:

Hi all,
I'm working on stir and shaken, and I want to include all revoked 
certificates.

I my list in DER format, I use this command to transform it to PEM format:
openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem

there is no erreur, I can read pem format (crl.pem):
-BEGIN X509 CRL-

-END X509 CRL-

I configured opensips with this:
modparam("stir_shaken", "crl_list", "/etc/opensips/stir-shaken-ca/crl.pem")

but I have an error:
ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback: certificate 
validation failed: unable to get certificate CRL

Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid certificate

Can you tell me, what is exactly the correct format please ?

Thanks in advance !
++

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-19 Thread Mickael Hubert

Hi all,
I'm working on stir and shaken, and I want to include all revoked
certificates.
I my list in DER format, I use this command to transform it to PEM format:
openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem

there is no erreur, I can read pem format (crl.pem):
-BEGIN X509 CRL-

-END X509 CRL-

I configured opensips with this:
modparam("stir_shaken", "crl_list", "/etc/opensips/stir-shaken-ca/crl.pem")

but I have an error:
ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback: certificate
validation failed: unable to get certificate CRL
Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid certificate

Can you tell me, what is exactly the correct format please ?

Thanks in advance !
++
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

[OpenSIPS-Users] Issue with stir and shaken crl_list

12 matches

Site Navigation

Mail list logo

Footer information