[OpenSIPS-Users] Issue with stir and shaken crl_list
Alain Bieuzent
alain.bieuzent at free.fr
Fri Jul 28 13:45:54 UTC 2023
sorry I wrote nonsense (again...)
In the French implementation of STIR/SHAKEN we must download certificate updates every day (only for crl_list).
In stir_shaken module documentation , there is no explanation how to put crl_list in db.
Regards
Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <users-bounces at lists.opensips.org <mailto:users-bounces at lists.opensips.org> au nom de alain.bieuzent at free.fr <mailto:alain.bieuzent at free.fr>> a écrit :
Hi Razvan,
I work on the same project as Mickael and we don't understand how the tls_mgm can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate updates every day (ca_list and crl_list).
How can these updates be considered in real time?
Regards
Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <users-bounces at lists.opensips.org <mailto:users-bounces at lists.opensips.org> <mailto:users-bounces at lists.opensips.org <mailto:users-bounces at lists.opensips.org>> au nom de razvan at opensips.org <mailto:razvan at opensips.org> <mailto:razvan at opensips.org <mailto:razvan at opensips.org>>> a écrit :
Hi, Mickael!
The only way is to store certificates in database and reload the tls_mgm
module (using tls_reload).
Best regards,
Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com <http://www.opensips-solutions.com> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> / https://www.siphub.com <https://www.siphub.com> <https://www.siphub.com> <https://www.siphub.com>>
On 7/26/23 16:38, Mickael Hubert wrote:
> Hi Razvan,
> another question about crl_list, when crl list changed, what is the best
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
> I know the crl_list can change each day, so if I have to restart
> opensips each day, it's not very practical.
>
> thanks in advance
>
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <mickael at winlux.fr <mailto:mickael at winlux.fr> <mailto:mickael at winlux.fr <mailto:mickael at winlux.fr>>
> <mailto:mickael at winlux.fr <mailto:mickael at winlux.fr> <mailto:mickael at winlux.fr <mailto:mickael at winlux.fr>>>> a écrit :
>
> Hi Razvan,
> Thanks a lot.
> I loaded the CRL for CA and certs and opensips start correctly ;)
>
> Have a good day !
>
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <razvan at opensips.org <mailto:razvan at opensips.org> <mailto:razvan at opensips.org <mailto:razvan at opensips.org>>
> <mailto:razvan at opensips.org <mailto:razvan at opensips.org> <mailto:razvan at opensips.org <mailto:razvan at opensips.org>>>> a écrit :
>
> Hi, Mickael!
>
> I don't have much experience with this, but a first search would
> point
> to this [1] answer, which seems reasonable to me: you need to
> provide
> the CRL of the entire path, not only of your intermediate cert.
> Did you
> try that?
>
> [1] https://stackoverflow.com/a/47398918 <https://stackoverflow.com/a/47398918> <https://stackoverflow.com/a/47398918> <https://stackoverflow.com/a/47398918>>
> <https://stackoverflow.com/a/47398918> <https://stackoverflow.com/a/47398918>> <https://stackoverflow.com/a/47398918>> <https://stackoverflow.com/a/47398918>>>
>
> Best regards,
>
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com <http://www.opensips-solutions.com> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>>
> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>> <http://www.opensips-solutions.com>> <http://www.opensips-solutions.com>>>
>
> On 7/19/23 15:47, Mickael Hubert wrote:
> > Hi all,
> > I'm working on stir and shaken, and I want to include all
> revoked
> > certificates.
> > I my list in DER format, I use this command to transform it
> to PEM format:
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >
> > there is no erreur, I can read pem format (crl.pem):
> > -----BEGIN X509 CRL-----
> > ....
> > -----END X509 CRL-----
> >
> > I configured opensips with this:
> > modparam("stir_shaken", "crl_list",
> "/etc/opensips/stir-shaken-ca/crl.pem")
> >
> > but I have an error:
> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> certificate
> > validation failed: unable to get certificate CRL
> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> certificate
> >
> > Can you tell me, what is exactly the correct format please ?
> >
> > Thanks in advance !
> > ++
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>>>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>>
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>>>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>>
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>>
_______________________________________________
Users mailing list
Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>>
_______________________________________________
Users mailing list
Users at lists.opensips.org <mailto:Users at lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
More information about the Users
mailing list