Is $var(cert) actually set? Print it out On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <mar...@voipplus.net> wrote:
> Thank you very much. I have the same file, and verification is still > failing. Perhaps my config: > > > $var(found) = cache_fetch("local", $identity(x5u), $var(cert)); > if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) { > rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc)); > if ($rc<0 || $var(http_rc) != 200) { > send_reply(436, "Bad Identity Info"); > exit; > } > cache_store("local", $identity(x5u), $var(cert), 60); > } > > stir_shaken_verify( "$var(cert)", $var(err_sip_code), > $var(err_sip_reason)); > if ($rc < 0) { > xlog("stir_shaken_verify() failed: $var(err_sip_code), > $var(err_sip_reason) \n"); > send_reply( $var(err_sip_code), $var(err_sip_reason)); > exit; > } > > > I figured this much: > > $var(cert) is a public certificate downloaded from $identity(x5u), if it > does not exists in local cache it gets pulled and stored, > > stir_shaken_check_cert("$var(cert)") is generating these errors: > > ERROR:stir_shaken:load_cert: Failed to parse certificate > ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( because > the entry does not exists in local cashdb) > > this forces the download of the public cert from $identity(x5u) and store > in local cashdb > > second attempt does not generate this errors, however calls with deferent > identity header and url for public cert should generate same errors again > as the public cert from new url is not in local cashdb, but it is NOT > generating same error. > > Also, I have minimize cache_store down to 1 second and after that second > call with same $identity(x5u) should generate same errors , but it is not. > > an example at shaken-not-stirred page have : > > rest_get( "$identity(x5u)", "$var(cert)", > $var(ctype), $var(http_rc)); > > but this fails a start-up with error ERROR:core:fix_cmd: Param [2] > expected to be a variable so I removed the double quotes from around > $var(cert) . > > > > On 1/5/2023 1:18 PM, Joseph Jackson wrote: > > Hi Marcin, > > I suspect you are correct that its how you are decoding the ca cert file > from iconectiv. > > attached is what we have currently and it works in our production > enviroment. > > If the maillist strips out that attachment let me know. You can reach me > directly at jjack...@aninetworks.net > > Joseph > > ------------------------------ > *From:* Users <users-boun...@lists.opensips.org> > <users-boun...@lists.opensips.org> on behalf of Marcin Groszek > <mar...@voipplus.net> <mar...@voipplus.net> > *Sent:* Thursday, January 5, 2023 10:16 AM > *To:* users@lists.opensips.org <users@lists.opensips.org> > <users@lists.opensips.org> > *Subject:* Re: [OpenSIPS-Users] stir shaken verification > > > Joseph, Thank you very much for your respond. > > > I have downloaded and apply new sti-ca file but certificate validation > fails. > > INFO:stir_shaken:verify_callback: certificate validation failed: > certificate signature failure > INFO:stir_shaken:w_stir_verify: Invalid certificate > DBG:core:comp_scriptvar: int 26 : -8 / 0 > [1637] stir_shaken_verify() failed: 437, Unsupported Credential > > > Perhaps I am not processing the sti-ca file properly. > > > I am testing this with a valid token , in fact test calls are coming from > major cellular carrier in US and the verification fails. > > I can see curl download the public cert, storing it in local cache and > then attempt to verify, but it fails. > > Upon next call with same token, the public cert is pulled from local cache > and still fails. > > > > > On 1/4/2023 7:37 PM, Joseph Jackson wrote: > > Hi Marcin, > > We have a process that downloads the CA list from iconectiv nightly, > decodes the jwt and stores the certs in a single file in > /etc/ssl/sti-ca/sti-ca.pem > > Here is the opensips modparam > > #stir and shaken > loadmodule "stir_shaken.so" > modparam("stir_shaken", "verify_date_freshness", 300) > modparam("stir_shaken", "auth_date_freshness", 300) > modparam("stir_shaken", "e164_strict_mode", 0) > #list of root certs for stir / shaken verification > modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem") > > This is on opensips v3.1.11 > > > ------------------------------ > *From:* Users <users-boun...@lists.opensips.org> > <users-boun...@lists.opensips.org> on behalf of Marcin Groszek > <mar...@voipplus.net> <mar...@voipplus.net> > *Sent:* Wednesday, January 4, 2023 6:12 PM > *To:* users@lists.opensips.org <users@lists.opensips.org> > <users@lists.opensips.org> > *Subject:* [OpenSIPS-Users] stir shaken verification > > > Opensips version 3.1.5 > > I am having some issues with stir_shaken setup. I am sure this not an > issue with the module, but me. > > stir_shaken_auth works just fine and I am able to sign the calls, however > I was unable to find any document how to use a ca file available for > download at iconectiv/download-list as well as via API. They do come in as > jwt file, but after little manipulation individual certificates can be > extracted, and the first one is the root certificate; I think, and the rest > are trusted STI-CA. I guess my question is how do I use this file or any > other cert file as "ca_list" and/or "ca_dir" . > > After weeks and hundreds attempts I was unsuccessful, and I was unable to > locate any document explaining preparation/setup/steps to setup > verification. > > All I get is : > > ERROR:stir_shaken:load_cert: Failed to parse certificate > ERROR:stir_shaken:w_stir_verify: Failed to load certificate > on INVITE with valid identity header. > > When I remove or replace "ca_list" file with something bogus opensips > does not even start with errors: > > ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs > ERROR:core:init_mod: failed to initialize module stir_shaken > > I would really appreciate some guidance on this one. > > > > _______________________________________________ > Users mailing > listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- > Best Regards: > Marcin Groszek > Business Phone Servicehttps://www.voipplus.net > > > _______________________________________________ > Users mailing > listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- > Best Regards: > Marcin Groszek > Business Phone Servicehttps://www.voipplus.net > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Regards, David Villasmil email: david.villasmil.w...@gmail.com phone: +34669448337
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users