Yep, It's working with 1.16.4 So the problem was with the pem ownership. It's a pity secsipid.so doesn't return an access denied error.
CLI doesn return an error: error: Unable to read private key file: open /etc/kamailio/ec256-private.pem: permission denied Regards, David Villasmil email: [email protected] phone: +34669448337 On Mon, May 31, 2021 at 4:26 PM David Villasmil < [email protected]> wrote: > Daniel, > > Ok, i downloaded and installed 1.11.6 just like yours and recompiled, etc. > I also changed the owner of the pem file, which was owned by root, and not > by the user kamailio. > > Now it's working. > > d9655} <script>: [STIR/SHAKEN][157428d2-3cc7-123a-eaad-122eaa5d9655] > secsipid_add_identity('493044448888', '493055559999', 'A', '', ' > http://asipto.lab/stir/cert.pem', '/etc/kamailio/ec256-private.pem') > May 31 15:24:08 ip-10-231-32-237 /usr/local/kamailio5/sbin/kamailio[1920]: > DEBUG: {1 36683532 INVITE 157428d2-3cc7-123a-eaad-122eaa5d9655} secsipid > [secsipid_mod.c:333]: ki_secsipid_add_identity(): appending identity: > eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ3NDY0OCwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiI0YWU3NGE3My01N2Q3LTQzZWMtYjMyOS00NDdiMDg4OWVkYmMifQ.AyxAeNFuthcpJld8osJBj9QVxBnwK91zeo0tEusXrMNNrG2aW8N9Az255qf3UlOIDtm1MmQI_y3-Gz6u57OCQA;info=< > http://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken > > But now i¡m left wondering whether it was the ownership of the file or the > version. > > So i will install again the latest and see what happens. > > > Regards, > > David Villasmil > email: [email protected] > phone: +34669448337 > > > On Mon, May 31, 2021 at 2:19 PM David Villasmil < > [email protected]> wrote: > >> Hello Daniel, >> >> Thanks for looking into this: >> >> # go version >> go version go1.16.4 linux/amd64 >> >> # openssl version >> OpenSSL 1.1.1d 10 Sep 2019 >> root@sip-stir1:/home/admin# >> i can try getting the same go version and see what happens. >> >> Regards, >> >> David Villasmil >> email: [email protected] >> phone: +34669448337 >> >> >> On Mon, May 31, 2021 at 2:15 PM Daniel-Constantin Mierla < >> [email protected]> wrote: >> >>> Hello, >>> >>> what are your operating system, golang and openssl versions? >>> >>> I tried on Debian stable and I get the Identity header, see next: >>> >>> OPTIONS sip:[email protected] SIP/2.0 >>> Via: SIP/2.0/UDP >>> 127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0 >>> Via: SIP/2.0/UDP 127.0.1.1:52897 >>> ;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias >>> From: sip:[email protected]:52897;tag=219ec22d >>> To: sip:[email protected] >>> Call-ID: [email protected] >>> CSeq: 1 OPTIONS >>> Contact: sip:[email protected]:52897 >>> Content-Length: 0 >>> Max-Forwards: 69 >>> User-Agent: sipsak 0.9.7pre >>> Accept: text/plain >>> Identity: >>> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info= >>> <https://asipto.lab/stir/cert.pem> <https://asipto.lab/stir/cert.pem> >>> ;alg=ES256;ppt=shaken >>> >>> The OPTIONS was generated with: sipsak -s sip:[email protected] >>> >>> In kamaili.cfg I have: >>> >>> if(is_method("OPTIONS|INVITE")) { >>> secsipid_add_identity("493044448888", "493055559999", "A", "", >>> "https://asipto.lab/stir/cert.pem"; >>> <https://asipto.lab/stir/cert.pem>, >>> "/tmp/ec256-private.pem"); >>> >>> Versions: >>> >>> $ go version >>> go version go1.11.6 linux/amd64 >>> >>> $ openssl version >>> OpenSSL 1.1.1d 10 Sep 2019 >>> >>> Cheers, >>> Daniel >>> On 28.05.21 13:05, Daniel-Constantin Mierla wrote: >>> >>> I will try to reproduce when I get the first chance these days, maybe I >>> broke something while I worked to propagate different return codes for >>> error cases. >>> >>> One more question for now: are you using the latest libsecsipid, build >>> from the master/main branch of the secsipidx project? >>> >>> Cheers, >>> Daniel >>> On 28.05.21 10:27, David Villasmil wrote: >>> >>> Correct. >>> That’s a log with debug 3, absolutely nothing is coming out. :( >>> >>> >>> >>> On Thu, 27 May 2021 at 20:54, Daniel-Constantin Mierla < >>> [email protected]> wrote: >>> >>>> Same logs like with before with previous certificate? Can you attach >>>> log messages with debug=3? >>>> >>>> Cheers, >>>> Daniel >>>> On 27.05.21 20:13, David Villasmil wrote: >>>> >>>> Yep i just tried that :) >>>> >>>> I don't get an error on the CLI: >>>> >>>> # secsipidx -sign-full -orig-tn 493044448888 -dest-tn 493055559999 >>>> -attest A -x5u http://asipto.lab/stir/cert.pem -k ec256-private.pem >>>> >>>> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=< >>>> http://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken >>>> >>>> But still failing in kamailio... >>>> >>>> Regards, >>>> >>>> David Villasmil >>>> email: [email protected] >>>> phone: +34669448337 >>>> >>>> >>>> On Thu, May 27, 2021 at 7:09 PM Daniel-Constantin Mierla < >>>> [email protected]> wrote: >>>> >>>>> Hello, >>>>> On 27.05.21 19:58, David Villasmil wrote: >>>>> >>>>> Hello guys, >>>>> >>>>> I want to test secsipid, but i don't yet have the certificate. So i >>>>> thought i'd create a cert like: >>>>> >>>>> openssl req -new -newkey rsa:4096 -nodes -keyout snakeoil.key -out >>>>> snakeoil.csr >>>>> openssl x509 -req -sha256 -days 365 -in snakeoil.csr -signkey >>>>> snakeoil.key -out snakeoil.pem >>>>> >>>>> Then i'm simply doing: >>>>> >>>>> $var(rc) = secsipid_add_identity("$fU", "$rU", "A", "", " >>>>> https://somedomain.com/stir/$rd/cert.pem >>>>> <https://kamailio.org/stir/$rd/cert.pem>", >>>>> "/etc/kamailio/snakeoil.pem"); >>>>> if ( $var(rc) ) { >>>>> xlog("L_ERR", "[STIR/SHAKEN][$ci] Shaken authentication added (SIP >>>>> Identity Header created)\n"); >>>>> } else { >>>>> xlog("L_ERR", "[STIR/SHAKEN][$ci] Failed\n"); >>>>> } >>>>> >>>>> But no matter what i do it silently fails: >>>>> >>>>> INVITE d54c2919-39b6-123a-95a7-0e29a5289b8d} <script>: >>>>> [STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d] Failed >>>>> >>>>> I have debug on 6, but i don't get more info regarding the error. >>>>> >>>>> Any ideas? >>>>> >>>>> based on the specs, it should not be the usual ssl/tls certificate, >>>>> try to generate them using the guidelines at: >>>>> >>>>> * https://github.com/asipto/secsipidx#keys-generation >>>>> >>>>> Cheers, >>>>> Daniel >>>>> >>>>> -- >>>>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- >>>>> www.linkedin.com/in/miconda >>>>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone) >>>>> * https://www.asipto.com/sw/kamailio-advanced-training-online/ >>>>> >>>>> -- >>>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- >>>> www.linkedin.com/in/miconda >>>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone) >>>> * https://www.asipto.com/sw/kamailio-advanced-training-online/ >>>> >>>> -- >>> Regards, >>> >>> David Villasmil >>> email: [email protected] >>> phone: +34669448337 >>> >>> -- >>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- >>> www.linkedin.com/in/miconda >>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone) >>> * https://www.asipto.com/sw/kamailio-advanced-training-online/ >>> >>> -- >>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- >>> www.linkedin.com/in/miconda >>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone) >>> * https://www.asipto.com/sw/kamailio-advanced-training-online/ >>> >>>
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
