Hi, Mickael!
The only way is to store certificates in database and reload the tls_mgm
module (using tls_reload).
Best regards,
Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com / https://www.siphub.com
On 7/26/23 16:38, Mickael Hubert wrote:
Hi Razvan,
another question about crl_list, when crl list changed, what is the best
way to reload this list in OpenSIPS memory ? restart it ? or another way ?
I know the crl_list can change each day, so if I have to restart
opensips each day, it's not very practical.
thanks in advance
Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <mick...@winlux.fr
<mailto:mick...@winlux.fr>> a écrit :
Hi Razvan,
Thanks a lot.
I loaded the CRL for CA and certs and opensips start correctly ;)
Have a good day !
Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <raz...@opensips.org
<mailto:raz...@opensips.org>> a écrit :
Hi, Mickael!
I don't have much experience with this, but a first search would
point
to this [1] answer, which seems reasonable to me: you need to
provide
the CRL of the entire path, not only of your intermediate cert.
Did you
try that?
[1] https://stackoverflow.com/a/47398918
<https://stackoverflow.com/a/47398918>
Best regards,
Răzvan Crainea
OpenSIPS Core Developer
http://www.opensips-solutions.com
<http://www.opensips-solutions.com>
On 7/19/23 15:47, Mickael Hubert wrote:
> Hi all,
> I'm working on stir and shaken, and I want to include all
revoked
> certificates.
> I my list in DER format, I use this command to transform it
to PEM format:
> openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
>
> there is no erreur, I can read pem format (crl.pem):
> -----BEGIN X509 CRL-----
> ....
> -----END X509 CRL-----
>
> I configured opensips with this:
> modparam("stir_shaken", "crl_list",
"/etc/opensips/stir-shaken-ca/crl.pem")
>
> but I have an error:
> ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
certificate
> validation failed: unable to get certificate CRL
> Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
certificate
>
> Can you tell me, what is exactly the correct format please ?
>
> Thanks in advance !
> ++
>
> _______________________________________________
> Users mailing list
> Users@lists.opensips.org <mailto:Users@lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
_______________________________________________
Users mailing list
Users@lists.opensips.org <mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
