Re: [OpenSIPS-Users] stir shaken verification

Wed, 04 Jan 2023 17:41:10 -0800 

Hi Marcin,

We have a process that downloads the CA list from iconectiv nightly,  decodes 
the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11


________________________________
From: Users <users-boun...@lists.opensips.org> on behalf of Marcin Groszek 
<mar...@voipplus.net>
Sent: Wednesday, January 4, 2023 6:12 PM
To: users@lists.opensips.org <users@lists.opensips.org>
Subject: [OpenSIPS-Users] stir shaken verification


Opensips version 3.1.5

I am having some issues with stir_shaken setup. I am sure this not an issue 
with the module, but me.

stir_shaken_auth works just fine and I am able to sign the calls, however I was 
unable to find any document how to use a ca file available for download at 
iconectiv/download-list as well as via API. They do come in as jwt file, but 
after little manipulation individual certificates can be extracted, and the 
first one is the root certificate; I think, and the rest are trusted STI-CA. I 
guess my question is how do I use this file or any other cert file as "ca_list" 
and/or "ca_dir" .

After weeks and hundreds attempts I was unsuccessful, and I was unable to 
locate any document explaining preparation/setup/steps to setup verification.

All I get is :

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.

When I remove or replace  "ca_list" file with something bogus opensips does not 
even start  with errors:

ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken

I would really appreciate some guidance on this one.


_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to