Joseph, Thank you very much for your respond.
I have downloaded and apply new sti-ca file but certificate validation
fails.
INFO:stir_shaken:verify_callback: certificate validation failed:
certificate signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential
Perhaps I am not processing the sti-ca file properly.
I am testing this with a valid token , in fact test calls are coming
from major cellular carrier in US and the verification fails.
I can see curl download the public cert, storing it in local cache and
then attempt to verify, but it fails.
Upon next call with same token, the public cert is pulled from local
cache and still fails.
On 1/4/2023 7:37 PM, Joseph Jackson wrote:
Hi Marcin,
We have a process that downloads the CA list from iconectiv nightly,
decodes the jwt and stores the certs in a single file in
/etc/ssl/sti-ca/sti-ca.pem
Here is the opensips modparam
#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")
This is on opensips v3.1.11
------------------------------------------------------------------------
*From:* Users <users-boun...@lists.opensips.org> on behalf of Marcin
Groszek <mar...@voipplus.net>
*Sent:* Wednesday, January 4, 2023 6:12 PM
*To:* users@lists.opensips.org <users@lists.opensips.org>
*Subject:* [OpenSIPS-Users] stir shaken verification
Opensips version 3.1.5
I am having some issues with stir_shaken setup. I am sure this not an
issue with the module, but me.
|stir_shaken_auth works just fine and I am able to sign the calls,
however I was unable to find any document how to use a ca file
available for download at iconectiv/download-list as well as via API.
They do come in as jwt file, but after little manipulation individual
certificates can be extracted, and the first one is the root
certificate; I think, and the rest are trusted STI-CA. ||I guess my
question is how do I use this file or any other cert file as
|"ca_list" and/or "ca_dir" .
After weeks and hundreds attempts I was unsuccessful, and I was unable
to locate any document explaining preparation/setup/steps to setup
verification.
All I get is :
ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.
When I remove or replaceĀ "ca_list" file with something bogus opensips
does not even startĀ with errors:
ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken
I would really appreciate some guidance on this one.
||
||
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
