Is $var(cert) actually set? Print it out
On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <mar...@voipplus.net
<mailto:mar...@voipplus.net>> wrote:
Thank you very much. I have the same file, and verification
is still failing. Perhaps my config:
$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));
if ($rc<0 || $var(http_rc) != 200) {
send_reply(436, "Bad Identity Info");
exit;
}
cache_store("local", $identity(x5u), $var(cert), 60);
}
stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));
if ($rc < 0) {
xlog("stir_shaken_verify() failed: $var(err_sip_code),
$var(err_sip_reason) \n");
send_reply( $var(err_sip_code), $var(err_sip_reason));
exit;
}
I figured this much:
$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache it gets
pulled and stored,
stir_shaken_check_cert("$var(cert)") is generating these errors:
ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load
certificate ( because the entry does not exists in local cashdb)
this forces the download of the public cert from
$identity(x5u) and store in local cashdb
second attempt does not generate this errors, however calls
with deferent identity header and url for public cert should
generate same errors again as the public cert from new url
is not in local cashdb, but it is NOT generating same error.
Also, I have minimize cache_store down to 1 second and
after that second call with same $identity(x5u) should
generate same errors , but it is not.
an example at shaken-not-stirred page have :
rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));
but this fails a start-up with error ERROR:core:fix_cmd:
Param [2] expected to be a variable so I removed the double
quotes from around $var(cert) .
On 1/5/2023 1:18 PM, Joseph Jackson wrote:
Hi Marcin,
I suspect you are correct that its how you are decoding the
ca cert file from iconectiv.
attached is what we have currently and it works in our
production enviroment.
If the maillist strips out that attachment let me know.
You can reach me directly at jjack...@aninetworks.net
<mailto:jjack...@aninetworks.net>
Joseph
------------------------------------------------------------------------
*From:* Users <users-boun...@lists.opensips.org>
<mailto:users-boun...@lists.opensips.org> on behalf of
Marcin Groszek <mar...@voipplus.net>
<mailto:mar...@voipplus.net>
*Sent:* Thursday, January 5, 2023 10:16 AM
*To:* users@lists.opensips.org
<mailto:users@lists.opensips.org>
<users@lists.opensips.org> <mailto:users@lists.opensips.org>
*Subject:* Re: [OpenSIPS-Users] stir shaken verification
Joseph, Thank you very much for your respond.
I have downloaded and apply new sti-ca file but certificate
validation fails.
INFO:stir_shaken:verify_callback: certificate validation
failed: certificate signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential
Perhaps I am not processing the sti-ca file properly.
I am testing this with a valid token , in fact test calls
are coming from major cellular carrier in US and the
verification fails.
I can see curl download the public cert, storing it in
local cache and then attempt to verify, but it fails.
Upon next call with same token, the public cert is pulled
from local cache and still fails.
On 1/4/2023 7:37 PM, Joseph Jackson wrote:
Hi Marcin,
We have a process that downloads the CA list from
iconectiv nightly, decodes the jwt and stores the certs
in a single file in /etc/ssl/sti-ca/sti-ca.pem
Here is the opensips modparam
#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list",
"/etc/ssl/sti-ca/sti-ca.pem")
This is on opensips v3.1.11
------------------------------------------------------------------------
*From:* Users <users-boun...@lists.opensips.org>
<mailto:users-boun...@lists.opensips.org> on behalf of
Marcin Groszek <mar...@voipplus.net>
<mailto:mar...@voipplus.net>
*Sent:* Wednesday, January 4, 2023 6:12 PM
*To:* users@lists.opensips.org
<mailto:users@lists.opensips.org>
<users@lists.opensips.org> <mailto:users@lists.opensips.org>
*Subject:* [OpenSIPS-Users] stir shaken verification
Opensips version 3.1.5
I am having some issues with stir_shaken setup. I am sure
this not an issue with the module, but me.
|stir_shaken_auth works just fine and I am able to sign
the calls, however I was unable to find any document how
to use a ca file available for download at
iconectiv/download-list as well as via API. They do come
in as jwt file, but after little manipulation individual
certificates can be extracted, and the first one is the
root certificate; I think, and the rest are trusted
STI-CA. ||I guess my question is how do I use this file or
any other cert file as |"ca_list" and/or "ca_dir" .
After weeks and hundreds attempts I was unsuccessful, and
I was unable to locate any document explaining
preparation/setup/steps to setup verification.
All I get is :
ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.
When I remove or replace "ca_list" file with something
bogus opensips does not even start with errors:
ERROR:stir_shaken:init_cert_validation: Failed to load
trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken
I would really appreciate some guidance on this one.
||
||
_______________________________________________
Users mailing list
Users@lists.opensips.org <mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net
_______________________________________________
Users mailing list
Users@lists.opensips.org <mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net
_______________________________________________
Users mailing list
Users@lists.opensips.org <mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Regards,
David Villasmil
email: david.villasmil.w...@gmail.com
<mailto:david.villasmil.w...@gmail.com>
phone: +34669448337
_______________________________________________
Users mailing list
Users@lists.opensips.org <mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
