sorry I wrote nonsense (again...) In the French implementation of STIR/SHAKEN we must download certificate updates every day (only for crl_list). In stir_shaken module documentation , there is no explanation how to put crl_list in db.
Regards Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <[email protected] <mailto:[email protected]> au nom de [email protected] <mailto:[email protected]>> a écrit : Hi Razvan, I work on the same project as Mickael and we don't understand how the tls_mgm can help us in this case. In the French implementation of STIR/SHAKEN we must download certificate updates every day (ca_list and crl_list). How can these updates be considered in real time? Regards Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> au nom de [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> a écrit : Hi, Mickael! The only way is to store certificates in database and reload the tls_mgm module (using tls_reload). Best regards, Răzvan Crainea OpenSIPS Core Developer / SIPhub CTO http://www.opensips-solutions.com <http://www.opensips-solutions.com> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> / https://www.siphub.com <https://www.siphub.com> <https://www.siphub.com> <https://www.siphub.com>> On 7/26/23 16:38, Mickael Hubert wrote: > Hi Razvan, > another question about crl_list, when crl list changed, what is the best > way to reload this list in OpenSIPS memory ? restart it ? or another way ? > I know the crl_list can change each day, so if I have to restart > opensips each day, it's not very practical. > > thanks in advance > > Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> a écrit : > > Hi Razvan, > Thanks a lot. > I loaded the CRL for CA and certs and opensips start correctly ;) > > Have a good day ! > > Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> a écrit : > > Hi, Mickael! > > I don't have much experience with this, but a first search would > point > to this [1] answer, which seems reasonable to me: you need to > provide > the CRL of the entire path, not only of your intermediate cert. > Did you > try that? > > [1] https://stackoverflow.com/a/47398918 > <https://stackoverflow.com/a/47398918> <https://stackoverflow.com/a/47398918> > <https://stackoverflow.com/a/47398918>> > <https://stackoverflow.com/a/47398918> > <https://stackoverflow.com/a/47398918>> > <https://stackoverflow.com/a/47398918>> > <https://stackoverflow.com/a/47398918&gt;>> > > Best regards, > > Răzvan Crainea > OpenSIPS Core Developer > http://www.opensips-solutions.com <http://www.opensips-solutions.com> > <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> > <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> > <http://www.opensips-solutions.com>> > <http://www.opensips-solutions.com&gt;>> > > On 7/19/23 15:47, Mickael Hubert wrote: > > Hi all, > > I'm working on stir and shaken, and I want to include all > revoked > > certificates. > > I my list in DER format, I use this command to transform it > to PEM format: > > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem > > > > there is no erreur, I can read pem format (crl.pem): > > -----BEGIN X509 CRL----- > > .... > > -----END X509 CRL----- > > > > I configured opensips with this: > > modparam("stir_shaken", "crl_list", > "/etc/opensips/stir-shaken-ca/crl.pem") > > > > but I have an error: > > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback: > certificate > > validation failed: unable to get certificate CRL > > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid > certificate > > > > Can you tell me, what is exactly the correct format please ? > > > > Thanks in advance ! > > ++ > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> _______________________________________________ Users mailing list [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> _______________________________________________ Users mailing list [email protected] <mailto:[email protected]> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
