Thaks Razvan, it's done Le 01/08/2023 15:35, « Users au nom de Răzvan Crainea » <[email protected] <mailto:[email protected]> au nom de [email protected] <mailto:[email protected]>> a écrit :
Hi, Alain! You are actually right, it looks like the crl_list and ca_dir cannot be dynamic :(. Could you please open a feature request for this, so we can keep them right, perhaps change them to a tls_mgm domain? Best regards, Răzvan Crainea OpenSIPS Core Developer / SIPhub CTO http://www.opensips-solutions.com <http://www.opensips-solutions.com> / https://www.siphub.com <https://www.siphub.com> On 7/28/23 16:45, Alain Bieuzent wrote: > sorry I wrote nonsense (again...) > In the French implementation of STIR/SHAKEN we must download certificate > updates every day (only for crl_list). > In stir_shaken module documentation , there is no explanation how to put > crl_list in db. > > Regards > > > Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » > <[email protected] <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> au nom de [email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> a écrit : > > > Hi Razvan, > > > I work on the same project as Mickael and we don't understand how the tls_mgm > can help us in this case. > In the French implementation of STIR/SHAKEN we must download certificate > updates every day (ca_list and crl_list). > How can these updates be considered in real time? > > > Regards > > > Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » > <[email protected] <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> au nom de [email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>> a écrit : > > > > > Hi, Mickael! > > > > > The only way is to store certificates in database and reload the tls_mgm > module (using tls_reload). > > > > > Best regards, > > > > > Răzvan Crainea > OpenSIPS Core Developer / SIPhub CTO > http://www.opensips-solutions.com <http://www.opensips-solutions.com> > <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> > <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> > <http://www.opensips-solutions.com>> > <http://www.opensips-solutions.com&gt;>> / https://www.siphub.com > <https://www.siphub.com> <https://www.siphub.com> > <https://www.siphub.com>> <https://www.siphub.com> > <https://www.siphub.com>> <https://www.siphub.com>> > <https://www.siphub.com&gt;>> > > > > > On 7/26/23 16:38, Mickael Hubert wrote: >> Hi Razvan, >> another question about crl_list, when crl list changed, what is the best >> way to reload this list in OpenSIPS memory ? restart it ? or another way ? >> I know the crl_list can change each day, so if I have to restart >> opensips each day, it's not very practical. >> >> thanks in advance >> >> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>>> a écrit : >> >> Hi Razvan, >> Thanks a lot. >> I loaded the CRL for CA and certs and opensips start correctly ;) >> >> Have a good day ! >> >> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>>> a écrit : >> >> Hi, Mickael! >> >> I don't have much experience with this, but a first search would >> point >> to this [1] answer, which seems reasonable to me: you need to >> provide >> the CRL of the entire path, not only of your intermediate cert. >> Did you >> try that? >> >> [1] https://stackoverflow.com/a/47398918 >> <https://stackoverflow.com/a/47398918> >> <https://stackoverflow.com/a/47398918> >> <https://stackoverflow.com/a/47398918>> >> <https://stackoverflow.com/a/47398918> >> <https://stackoverflow.com/a/47398918>> >> <https://stackoverflow.com/a/47398918>> >> <https://stackoverflow.com/a/47398918&gt;>> >> <https://stackoverflow.com/a/47398918> >> <https://stackoverflow.com/a/47398918>> >> <https://stackoverflow.com/a/47398918>> >> <https://stackoverflow.com/a/47398918&gt;>> >> <https://stackoverflow.com/a/47398918>> >> <https://stackoverflow.com/a/47398918&gt;>> >> <https://stackoverflow.com/a/47398918&gt;>> >> <https://stackoverflow.com/a/47398918&amp;gt;&gt;>> >> >> Best regards, >> >> Răzvan Crainea >> OpenSIPS Core Developer >> http://www.opensips-solutions.com <http://www.opensips-solutions.com> >> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> >> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> >> <http://www.opensips-solutions.com>> >> <http://www.opensips-solutions.com&gt;>> >> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> >> <http://www.opensips-solutions.com>> >> <http://www.opensips-solutions.com&gt;>> >> <http://www.opensips-solutions.com>> >> <http://www.opensips-solutions.com&gt;>> >> <http://www.opensips-solutions.com&gt;>> >> <http://www.opensips-solutions.com&amp;gt;&gt;>> >> >> On 7/19/23 15:47, Mickael Hubert wrote: >>> Hi all, >>> I'm working on stir and shaken, and I want to include all >> revoked >>> certificates. >>> I my list in DER format, I use this command to transform it >> to PEM format: >>> openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem >>> >>> there is no erreur, I can read pem format (crl.pem): >>> -----BEGIN X509 CRL----- >>> .... >>> -----END X509 CRL----- >>> >>> I configured opensips with this: >>> modparam("stir_shaken", "crl_list", >> "/etc/opensips/stir-shaken-ca/crl.pem") >>> >>> but I have an error: >>> ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback: >> certificate >>> validation failed: unable to get certificate CRL >>> Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid >> certificate >>> >>> Can you tell me, what is exactly the correct format please ? >>> >>> Thanks in advance ! >>> ++ >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>>> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt;>> >> >> _______________________________________________ >> Users mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt;>> >> >> >> _______________________________________________ >> Users mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> > > > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> > > > > > > > > > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> > > > > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> _______________________________________________ Users mailing list [email protected] <mailto:[email protected]> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
