[OpenSIPS-Users] Issue with stir and shaken crl_list

Răzvan Crainea razvan at opensips.org
Thu Jul 27 10:36:23 UTC 2023 

Hi, Mickael!

The only way is to store certificates in database and reload the tls_mgm 
module (using tls_reload).

Best regards,

Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com / https://www.siphub.com

On 7/26/23 16:38, Mickael Hubert wrote:
> Hi Razvan,
> another question about crl_list, when crl list changed, what is the best 
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
> I know the crl_list can change each day, so if I have to restart 
> opensips each day, it's not very practical.
> 
> thanks in advance
> 
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <mickael at winlux.fr 
> <mailto:mickael at winlux.fr>> a écrit :
> 
>     Hi Razvan,
>     Thanks a lot.
>     I loaded the CRL for CA and certs and opensips start correctly ;)
> 
>     Have a good day !
> 
>     Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <razvan at opensips.org
>     <mailto:razvan at opensips.org>> a écrit :
> 
>         Hi, Mickael!
> 
>         I don't have much experience with this, but a first search would
>         point
>         to this [1] answer, which seems reasonable to me: you need to
>         provide
>         the CRL of the entire path, not only of your intermediate cert.
>         Did you
>         try that?
> 
>         [1] https://stackoverflow.com/a/47398918
>         <https://stackoverflow.com/a/47398918>
> 
>         Best regards,
> 
>         Răzvan Crainea
>         OpenSIPS Core Developer
>         http://www.opensips-solutions.com
>         <http://www.opensips-solutions.com>
> 
>         On 7/19/23 15:47, Mickael Hubert wrote:
>          > Hi all,
>          > I'm working on stir and shaken, and I want to include all
>         revoked
>          > certificates.
>          > I my list in DER format, I use this command to transform it
>         to PEM format:
>          > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
>          >
>          > there is no erreur, I can read pem format (crl.pem):
>          > -----BEGIN X509 CRL-----
>          > ....
>          > -----END X509 CRL-----
>          >
>          > I configured opensips with this:
>          > modparam("stir_shaken", "crl_list",
>         "/etc/opensips/stir-shaken-ca/crl.pem")
>          >
>          > but I have an error:
>          > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
>         certificate
>          > validation failed: unable to get certificate CRL
>          > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
>         certificate
>          >
>          > Can you tell me, what is exactly the correct format please ?
>          >
>          > Thanks in advance !
>          > ++
>          >
>          > _______________________________________________
>          > Users mailing list
>          > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>          > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>         <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
> 
>         _______________________________________________
>         Users mailing list
>         Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>         http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>         <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list