Hi Marcin, I suspect you are correct that its how you are decoding the ca cert file from iconectiv.
attached is what we have currently and it works in our production enviroment. If the maillist strips out that attachment let me know. You can reach me directly at jjack...@aninetworks.net Joseph ________________________________ From: Users <users-boun...@lists.opensips.org> on behalf of Marcin Groszek <mar...@voipplus.net> Sent: Thursday, January 5, 2023 10:16 AM To: users@lists.opensips.org <users@lists.opensips.org> Subject: Re: [OpenSIPS-Users] stir shaken verification Joseph, Thank you very much for your respond. I have downloaded and apply new sti-ca file but certificate validation fails. INFO:stir_shaken:verify_callback: certificate validation failed: certificate signature failure INFO:stir_shaken:w_stir_verify: Invalid certificate DBG:core:comp_scriptvar: int 26 : -8 / 0 [1637] stir_shaken_verify() failed: 437, Unsupported Credential Perhaps I am not processing the sti-ca file properly. I am testing this with a valid token , in fact test calls are coming from major cellular carrier in US and the verification fails. I can see curl download the public cert, storing it in local cache and then attempt to verify, but it fails. Upon next call with same token, the public cert is pulled from local cache and still fails. On 1/4/2023 7:37 PM, Joseph Jackson wrote: Hi Marcin, We have a process that downloads the CA list from iconectiv nightly, decodes the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem Here is the opensips modparam #stir and shaken loadmodule "stir_shaken.so" modparam("stir_shaken", "verify_date_freshness", 300) modparam("stir_shaken", "auth_date_freshness", 300) modparam("stir_shaken", "e164_strict_mode", 0) #list of root certs for stir / shaken verification modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem") This is on opensips v3.1.11 ________________________________ From: Users <users-boun...@lists.opensips.org><mailto:users-boun...@lists.opensips.org> on behalf of Marcin Groszek <mar...@voipplus.net><mailto:mar...@voipplus.net> Sent: Wednesday, January 4, 2023 6:12 PM To: users@lists.opensips.org<mailto:users@lists.opensips.org> <users@lists.opensips.org><mailto:users@lists.opensips.org> Subject: [OpenSIPS-Users] stir shaken verification Opensips version 3.1.5 I am having some issues with stir_shaken setup. I am sure this not an issue with the module, but me. stir_shaken_auth works just fine and I am able to sign the calls, however I was unable to find any document how to use a ca file available for download at iconectiv/download-list as well as via API. They do come in as jwt file, but after little manipulation individual certificates can be extracted, and the first one is the root certificate; I think, and the rest are trusted STI-CA. I guess my question is how do I use this file or any other cert file as "ca_list" and/or "ca_dir" . After weeks and hundreds attempts I was unsuccessful, and I was unable to locate any document explaining preparation/setup/steps to setup verification. All I get is : ERROR:stir_shaken:load_cert: Failed to parse certificate ERROR:stir_shaken:w_stir_verify: Failed to load certificate on INVITE with valid identity header. When I remove or replace "ca_list" file with something bogus opensips does not even start with errors: ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs ERROR:core:init_mod: failed to initialize module stir_shaken I would really appreciate some guidance on this one. _______________________________________________ Users mailing list Users@lists.opensips.org<mailto:Users@lists.opensips.org> http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Best Regards: Marcin Groszek Business Phone Service https://www.voipplus.net
sti-ca.pem
Description: sti-ca.pem
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users