[OpenSIPS-Users] stir shaken verification
Marcin Groszek
marcin at voipplus.net
Fri Jan 6 16:27:13 UTC 2023
Thank you for all your help.
My test opensips installation was on CentOS 7 and cert verification has
been failing.
The certificates are verifying with same opensips version 3.1.5 and same
configuration on Oracle linux 8.6.
Thank you again for all your answers and help.
On 1/5/2023 5:24 PM, Marcin Groszek wrote:
>
> Yes it is, I sent it to xlog it an it does.
>
> On 1/5/2023 4:45 PM, David Villasmil wrote:
>> Is $var(cert) actually set? Print it out
>>
>> On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <marcin at voipplus.net
>> <mailto:marcin at voipplus.net>> wrote:
>>
>> Thank you very much. I have the same file, and verification is
>> still failing. Perhaps my config:
>>
>>
>> $var(found) = cache_fetch("local", $identity(x5u), $var(cert));
>> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
>> rest_get( "$identity(x5u)", $var(cert), $var(ctype),
>> $var(http_rc));
>> if ($rc<0 || $var(http_rc) != 200) {
>> send_reply(436, "Bad Identity Info");
>> exit;
>> }
>> cache_store("local", $identity(x5u), $var(cert), 60);
>> }
>>
>> stir_shaken_verify( "$var(cert)", $var(err_sip_code),
>> $var(err_sip_reason));
>> if ($rc < 0) {
>> xlog("stir_shaken_verify() failed: $var(err_sip_code),
>> $var(err_sip_reason) \n");
>> send_reply( $var(err_sip_code), $var(err_sip_reason));
>> exit;
>> }
>>
>>
>> I figured this much:
>>
>> $var(cert) is a public certificate downloaded from
>> $identity(x5u), if it does not exists in local cache it gets
>> pulled and stored,
>>
>> stir_shaken_check_cert("$var(cert)") is generating these errors:
>>
>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>> ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate (
>> because the entry does not exists in local cashdb)
>>
>> this forces the download of the public cert from $identity(x5u)
>> and store in local cashdb
>>
>> second attempt does not generate this errors, however calls with
>> deferent identity header and url for public cert should generate
>> same errors again as the public cert from new url is not in local
>> cashdb, but it is NOT generating same error.
>>
>> Also, I have minimize cache_store down to 1 second and after
>> that second call with same $identity(x5u) should generate same
>> errors , but it is not.
>>
>> an example at shaken-not-stirred page have :
>>
>> rest_get( "$identity(x5u)", "$var(cert)",
>> $var(ctype), $var(http_rc));
>>
>> but this fails a start-up with error ERROR:core:fix_cmd: Param
>> [2] expected to be a variable so I removed the double quotes from
>> around $var(cert) .
>>
>>
>>
>> On 1/5/2023 1:18 PM, Joseph Jackson wrote:
>>> Hi Marcin,
>>>
>>> I suspect you are correct that its how you are decoding the ca
>>> cert file from iconectiv.
>>>
>>> attached is what we have currently and it works in our
>>> production enviroment.
>>>
>>> If the maillist strips out that attachment let me know. You can
>>> reach me directly at jjackson at aninetworks.net
>>> <mailto:jjackson at aninetworks.net>
>>>
>>> Joseph
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Users <users-bounces at lists.opensips.org>
>>> <mailto:users-bounces at lists.opensips.org> on behalf of Marcin
>>> Groszek <marcin at voipplus.net> <mailto:marcin at voipplus.net>
>>> *Sent:* Thursday, January 5, 2023 10:16 AM
>>> *To:* users at lists.opensips.org <mailto:users at lists.opensips.org>
>>> <users at lists.opensips.org> <mailto:users at lists.opensips.org>
>>> *Subject:* Re: [OpenSIPS-Users] stir shaken verification
>>>
>>> Joseph, Thank you very much for your respond.
>>>
>>>
>>> I have downloaded and apply new sti-ca file but certificate
>>> validation fails.
>>>
>>> INFO:stir_shaken:verify_callback: certificate validation failed:
>>> certificate signature failure
>>> INFO:stir_shaken:w_stir_verify: Invalid certificate
>>> DBG:core:comp_scriptvar: int 26 : -8 / 0
>>> [1637] stir_shaken_verify() failed: 437, Unsupported Credential
>>>
>>>
>>> Perhaps I am not processing the sti-ca file properly.
>>>
>>>
>>> I am testing this with a valid token , in fact test calls are
>>> coming from major cellular carrier in US and the verification fails.
>>>
>>> I can see curl download the public cert, storing it in local
>>> cache and then attempt to verify, but it fails.
>>>
>>> Upon next call with same token, the public cert is pulled from
>>> local cache and still fails.
>>>
>>>
>>>
>>>
>>> On 1/4/2023 7:37 PM, Joseph Jackson wrote:
>>>> Hi Marcin,
>>>>
>>>> We have a process that downloads the CA list from iconectiv
>>>> nightly, decodes the jwt and stores the certs in a single file
>>>> in /etc/ssl/sti-ca/sti-ca.pem
>>>>
>>>> Here is the opensips modparam
>>>>
>>>> #stir and shaken
>>>> loadmodule "stir_shaken.so"
>>>> modparam("stir_shaken", "verify_date_freshness", 300)
>>>> modparam("stir_shaken", "auth_date_freshness", 300)
>>>> modparam("stir_shaken", "e164_strict_mode", 0)
>>>> #list of root certs for stir / shaken verification
>>>> modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")
>>>>
>>>> This is on opensips v3.1.11
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Users <users-bounces at lists.opensips.org>
>>>> <mailto:users-bounces at lists.opensips.org> on behalf of Marcin
>>>> Groszek <marcin at voipplus.net> <mailto:marcin at voipplus.net>
>>>> *Sent:* Wednesday, January 4, 2023 6:12 PM
>>>> *To:* users at lists.opensips.org
>>>> <mailto:users at lists.opensips.org> <users at lists.opensips.org>
>>>> <mailto:users at lists.opensips.org>
>>>> *Subject:* [OpenSIPS-Users] stir shaken verification
>>>>
>>>> Opensips version 3.1.5
>>>>
>>>> I am having some issues with stir_shaken setup. I am sure this
>>>> not an issue with the module, but me.
>>>>
>>>> |stir_shaken_auth works just fine and I am able to sign the
>>>> calls, however I was unable to find any document how to use a
>>>> ca file available for download at iconectiv/download-list as
>>>> well as via API. They do come in as jwt file, but after little
>>>> manipulation individual certificates can be extracted, and the
>>>> first one is the root certificate; I think, and the rest are
>>>> trusted STI-CA. ||I guess my question is how do I use this file
>>>> or any other cert file as |"ca_list" and/or "ca_dir" .
>>>>
>>>> After weeks and hundreds attempts I was unsuccessful, and I was
>>>> unable to locate any document explaining
>>>> preparation/setup/steps to setup verification.
>>>>
>>>> All I get is :
>>>>
>>>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>>>> ERROR:stir_shaken:w_stir_verify: Failed to load certificate
>>>> on INVITE with valid identity header.
>>>>
>>>> When I remove or replace "ca_list" file with something bogus
>>>> opensips does not even start with errors:
>>>>
>>>> ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
>>>> ERROR:core:init_mod: failed to initialize module stir_shaken
>>>>
>>>> I would really appreciate some guidance on this one.
>>>>
>>>>
>>>> ||
>>>>
>>>> ||
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> --
>>> Best Regards:
>>> Marcin Groszek
>>> Business Phone Service
>>> https://www.voipplus.net
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> --
>> Best Regards:
>> Marcin Groszek
>> Business Phone Service
>> https://www.voipplus.net
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> --
>> Regards,
>>
>> David Villasmil
>> email: david.villasmil.work at gmail.com
>> <mailto:david.villasmil.work at gmail.com>
>> phone: +34669448337
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> --
> Best Regards:
> Marcin Groszek
> Business Phone Service
> https://www.voipplus.net
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230106/8bee20ef/attachment-0001.html>
More information about the Users
mailing list