IIRC, the issue you were having with the validation failures on CentOS 7 was related to a shared library. OpenSSL I think.
-Jon Abrams On Fri, Jan 6, 2023, 10:30 AM Marcin Groszek <mar...@voipplus.net> wrote: > Thank you for all your help. > > My test opensips installation was on CentOS 7 and cert verification has > been failing. > > The certificates are verifying with same opensips version 3.1.5 and same > configuration on Oracle linux 8.6. > > Thank you again for all your answers and help. > > > On 1/5/2023 5:24 PM, Marcin Groszek wrote: > > Yes it is, I sent it to xlog it an it does. > On 1/5/2023 4:45 PM, David Villasmil wrote: > > Is $var(cert) actually set? Print it out > > On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <mar...@voipplus.net> wrote: > >> Thank you very much. I have the same file, and verification is still >> failing. Perhaps my config: >> >> >> $var(found) = cache_fetch("local", $identity(x5u), $var(cert)); >> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) { >> rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc)); >> if ($rc<0 || $var(http_rc) != 200) { >> send_reply(436, "Bad Identity Info"); >> exit; >> } >> cache_store("local", $identity(x5u), $var(cert), 60); >> } >> >> stir_shaken_verify( "$var(cert)", $var(err_sip_code), >> $var(err_sip_reason)); >> if ($rc < 0) { >> xlog("stir_shaken_verify() failed: $var(err_sip_code), >> $var(err_sip_reason) \n"); >> send_reply( $var(err_sip_code), $var(err_sip_reason)); >> exit; >> } >> >> >> I figured this much: >> >> $var(cert) is a public certificate downloaded from $identity(x5u), if it >> does not exists in local cache it gets pulled and stored, >> >> stir_shaken_check_cert("$var(cert)") is generating these errors: >> >> ERROR:stir_shaken:load_cert: Failed to parse certificate >> ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( because >> the entry does not exists in local cashdb) >> >> this forces the download of the public cert from $identity(x5u) and store >> in local cashdb >> >> second attempt does not generate this errors, however calls with deferent >> identity header and url for public cert should generate same errors again >> as the public cert from new url is not in local cashdb, but it is NOT >> generating same error. >> >> Also, I have minimize cache_store down to 1 second and after that second >> call with same $identity(x5u) should generate same errors , but it is not. >> >> an example at shaken-not-stirred page have : >> >> rest_get( "$identity(x5u)", "$var(cert)", >> $var(ctype), $var(http_rc)); >> >> but this fails a start-up with error ERROR:core:fix_cmd: Param [2] >> expected to be a variable so I removed the double quotes from around >> $var(cert) . >> >> >> >> On 1/5/2023 1:18 PM, Joseph Jackson wrote: >> >> Hi Marcin, >> >> I suspect you are correct that its how you are decoding the ca cert file >> from iconectiv. >> >> attached is what we have currently and it works in our production >> enviroment. >> >> If the maillist strips out that attachment let me know. You can reach me >> directly at jjack...@aninetworks.net >> >> Joseph >> >> ------------------------------ >> *From:* Users <users-boun...@lists.opensips.org> >> <users-boun...@lists.opensips.org> on behalf of Marcin Groszek >> <mar...@voipplus.net> <mar...@voipplus.net> >> *Sent:* Thursday, January 5, 2023 10:16 AM >> *To:* users@lists.opensips.org <users@lists.opensips.org> >> <users@lists.opensips.org> >> *Subject:* Re: [OpenSIPS-Users] stir shaken verification >> >> >> Joseph, Thank you very much for your respond. >> >> >> I have downloaded and apply new sti-ca file but certificate validation >> fails. >> >> INFO:stir_shaken:verify_callback: certificate validation failed: >> certificate signature failure >> INFO:stir_shaken:w_stir_verify: Invalid certificate >> DBG:core:comp_scriptvar: int 26 : -8 / 0 >> [1637] stir_shaken_verify() failed: 437, Unsupported Credential >> >> >> Perhaps I am not processing the sti-ca file properly. >> >> >> I am testing this with a valid token , in fact test calls are coming from >> major cellular carrier in US and the verification fails. >> >> I can see curl download the public cert, storing it in local cache and >> then attempt to verify, but it fails. >> >> Upon next call with same token, the public cert is pulled from local >> cache and still fails. >> >> >> >> >> On 1/4/2023 7:37 PM, Joseph Jackson wrote: >> >> Hi Marcin, >> >> We have a process that downloads the CA list from iconectiv nightly, >> decodes the jwt and stores the certs in a single file in >> /etc/ssl/sti-ca/sti-ca.pem >> >> Here is the opensips modparam >> >> #stir and shaken >> loadmodule "stir_shaken.so" >> modparam("stir_shaken", "verify_date_freshness", 300) >> modparam("stir_shaken", "auth_date_freshness", 300) >> modparam("stir_shaken", "e164_strict_mode", 0) >> #list of root certs for stir / shaken verification >> modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem") >> >> This is on opensips v3.1.11 >> >> >> ------------------------------ >> *From:* Users <users-boun...@lists.opensips.org> >> <users-boun...@lists.opensips.org> on behalf of Marcin Groszek >> <mar...@voipplus.net> <mar...@voipplus.net> >> *Sent:* Wednesday, January 4, 2023 6:12 PM >> *To:* users@lists.opensips.org <users@lists.opensips.org> >> <users@lists.opensips.org> >> *Subject:* [OpenSIPS-Users] stir shaken verification >> >> >> Opensips version 3.1.5 >> >> I am having some issues with stir_shaken setup. I am sure this not an >> issue with the module, but me. >> >> stir_shaken_auth works just fine and I am able to sign the calls, however >> I was unable to find any document how to use a ca file available for >> download at iconectiv/download-list as well as via API. They do come in as >> jwt file, but after little manipulation individual certificates can be >> extracted, and the first one is the root certificate; I think, and the rest >> are trusted STI-CA. I guess my question is how do I use this file or any >> other cert file as "ca_list" and/or "ca_dir" . >> >> After weeks and hundreds attempts I was unsuccessful, and I was unable to >> locate any document explaining preparation/setup/steps to setup >> verification. >> >> All I get is : >> >> ERROR:stir_shaken:load_cert: Failed to parse certificate >> ERROR:stir_shaken:w_stir_verify: Failed to load certificate >> on INVITE with valid identity header. >> >> When I remove or replace "ca_list" file with something bogus opensips >> does not even start with errors: >> >> ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs >> ERROR:core:init_mod: failed to initialize module stir_shaken >> >> I would really appreciate some guidance on this one. >> >> >> >> _______________________________________________ >> Users mailing >> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> -- >> Best Regards: >> Marcin Groszek >> Business Phone Servicehttps://www.voipplus.net >> >> >> _______________________________________________ >> Users mailing >> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> -- >> Best Regards: >> Marcin Groszek >> Business Phone Servicehttps://www.voipplus.net >> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > -- > Regards, > > David Villasmil > email: david.villasmil.w...@gmail.com > phone: +34669448337 > > _______________________________________________ > Users mailing > listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- > Best Regards: > Marcin Groszek > Business Phone Servicehttps://www.voipplus.net > > > _______________________________________________ > Users mailing > listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- > Best Regards: > Marcin Groszek > Business Phone Servicehttps://www.voipplus.net > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users