Hi Marcin,
We have a process that downloads the CA list from iconectiv nightly, decodes
the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem
Here is the opensips modparam
#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")
This is on opensips v3.1.11
________________________________
From: Users <[email protected]> on behalf of Marcin Groszek
<[email protected]>
Sent: Wednesday, January 4, 2023 6:12 PM
To: [email protected] <[email protected]>
Subject: [OpenSIPS-Users] stir shaken verification
Opensips version 3.1.5
I am having some issues with stir_shaken setup. I am sure this not an issue
with the module, but me.
stir_shaken_auth works just fine and I am able to sign the calls, however I was
unable to find any document how to use a ca file available for download at
iconectiv/download-list as well as via API. They do come in as jwt file, but
after little manipulation individual certificates can be extracted, and the
first one is the root certificate; I think, and the rest are trusted STI-CA. I
guess my question is how do I use this file or any other cert file as "ca_list"
and/or "ca_dir" .
After weeks and hundreds attempts I was unsuccessful, and I was unable to
locate any document explaining preparation/setup/steps to setup verification.
All I get is :
ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.
When I remove or replace "ca_list" file with something bogus opensips does not
even start with errors:
ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken
I would really appreciate some guidance on this one.
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
