[OpenSIPS-Users] Issue with stir and shaken crl_list

Srigo Kanapathipillai ksrigo at gmail.com
Tue May 21 08:48:54 UTC 2024 

Hi,

I'm currently working on the integration of MAN (French Stir/Shaken) on our
Opensips. I'm facing the same issue with Opensips
"stir_shaken:verify_callback: certificate validation failed: unable to get
certificate CRL" when calling stir_shaken_verify() function.

This is how I'm loading my CRL and CA:

modparam("stir_shaken", "crl_dir",
"/etc/opensips/stir_shaken_certificates/all_certifs/")
modparam("stir_shaken", "ca_dir",
"/etc/opensips/stir_shaken_certificates/all_certifs/")

and my contents directory:

[srigo at lab:/etc/opensips/stir_shaken_certificates/all_certifs]# ls -l
total 80
lrwxrwxrwx 1 opensips opensips    12 May 20 20:48 10f93d74.0 -> bpco_pa2.pem
lrwxrwxrwx 1 opensips opensips    12 May 20 20:48 155d6a90.0 -> bpco_pa1.pem
lrwxrwxrwx 1 opensips opensips    22 May 20 20:48 155d6a90.r0 ->
bpco_crl_operateur.pem
lrwxrwxrwx 1 opensips opensips    12 May 20 20:48 1df87289.0 -> bpco_ca1.pem
lrwxrwxrwx 1 opensips opensips     7 May 20 20:48 6c2f9df7.0 -> ipd.pem
lrwxrwxrwx 1 opensips opensips    11 May 20 20:48 b519955b.0 -> bpco_r1.pem
lrwxrwxrwx 1 opensips opensips    15 May 20 20:48 b519955b.r0 ->
bpco_crl_ca.pem
-rw-rw-r-- 1 opensips opensips  1180 May 20 19:24 bpco_ca1.pem
-rw-rw-r-- 1 opensips opensips  1180 May 20 20:23 bpco_ca2.pem
-rw-rw-r-- 1 opensips opensips   552 May 20 19:24 bpco_crl_ca.pem
-rw-rw-r-- 1 opensips opensips 87608 May 20 19:25 bpco_crl_operateur.pem
-rw-rw-r-- 1 opensips opensips  1135 May 20 19:23 bpco_pa1.pem
-rw-rw-r-- 1 opensips opensips  1135 May 20 20:22 bpco_pa2.pem
-rw-rw-r-- 1 opensips opensips   810 May 20 19:24 bpco_r1.pem
lrwxrwxrwx 1 opensips opensips    12 May 20 20:48 cbdd0bbc.0 -> bpco_ca2.pem
-rw-rw-r-- 1 opensips opensips  1281 May 20 20:48 ipd.pem

I have tried with crl_list and ca_list by concatening my CAs and my CRLs
but getting same errors.

If anyone faced the same issue and solved it or an idea how to solve it.
Please share it.

Thanks
Srigo

Le mar. 1 août 2023 à 16:08, Alain Bieuzent <alain.bieuzent at free.fr> a
écrit :

> Thaks Razvan, it's done
>
> Le 01/08/2023 15:35, « Users au nom de Răzvan Crainea » <
> users-bounces at lists.opensips.org <mailto:users-bounces at lists.opensips.org>
> au nom de razvan at opensips.org <mailto:razvan at opensips.org>> a écrit :
>
>
> Hi, Alain!
>
>
> You are actually right, it looks like the crl_list and ca_dir cannot be
> dynamic :(. Could you please open a feature request for this, so we can
> keep them right, perhaps change them to a tls_mgm domain?
>
>
> Best regards,
>
>
> Răzvan Crainea
> OpenSIPS Core Developer / SIPhub CTO
> http://www.opensips-solutions.com <http://www.opensips-solutions.com> /
> https://www.siphub.com <https://www.siphub.com>
>
>
> On 7/28/23 16:45, Alain Bieuzent wrote:
> > sorry I wrote nonsense (again...)
> > In the French implementation of STIR/SHAKEN we must download certificate
> updates every day (only for crl_list).
> > In stir_shaken module documentation , there is no explanation how to put
> crl_list in db.
> >
> > Regards
> >
> >
> > Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <
> users-bounces at lists.opensips.org <mailto:users-bounces at lists.opensips.org>
> <mailto:users-bounces at lists.opensips.org <mailto:
> users-bounces at lists.opensips.org>> au nom de alain.bieuzent at free.fr
> <mailto:alain.bieuzent at free.fr> <mailto:alain.bieuzent at free.fr <mailto:
> alain.bieuzent at free.fr>>> a écrit :
> >
> >
> > Hi Razvan,
> >
> >
> > I work on the same project as Mickael and we don't understand how the
> tls_mgm can help us in this case.
> > In the French implementation of STIR/SHAKEN we must download certificate
> updates every day (ca_list and crl_list).
> > How can these updates be considered in real time?
> >
> >
> > Regards
> >
> >
> > Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <
> users-bounces at lists.opensips.org <mailto:users-bounces at lists.opensips.org>
> <mailto:users-bounces at lists.opensips.org <mailto:
> users-bounces at lists.opensips.org>> <mailto:
> users-bounces at lists.opensips.org <mailto:users-bounces at lists.opensips.org>
> <mailto:users-bounces at lists.opensips.org <mailto:
> users-bounces at lists.opensips.org>>> au nom de razvan at opensips.org <mailto:
> razvan at opensips.org> <mailto:razvan at opensips.org <mailto:
> razvan at opensips.org>> <mailto:razvan at opensips.org <mailto:
> razvan at opensips.org> <mailto:razvan at opensips.org <mailto:
> razvan at opensips.org>>>> a écrit :
> >
> >
> >
> >
> > Hi, Mickael!
> >
> >
> >
> >
> > The only way is to store certificates in database and reload the tls_mgm
> > module (using tls_reload).
> >
> >
> >
> >
> > Best regards,
> >
> >
> >
> >
> > Răzvan Crainea
> > OpenSIPS Core Developer / SIPhub CTO
> > http://www.opensips-solutions.com <http://www.opensips-solutions.com> <
> http://www.opensips-solutions.com> <http://www.opensips-solutions.com>>
> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>>
> <http://www.opensips-solutions.com>> <http://www.opensips-solutions.com&gt;>>
> / https://www.siphub.com <https://www.siphub.com> <https://www.siphub.com>
> <https://www.siphub.com>> <https://www.siphub.com> <
> https://www.siphub.com>> <https://www.siphub.com>> <
> https://www.siphub.com&gt;>>
> >
> >
> >
> >
> > On 7/26/23 16:38, Mickael Hubert wrote:
> >> Hi Razvan,
> >> another question about crl_list, when crl list changed, what is the best
> >> way to reload this list in OpenSIPS memory ? restart it ? or another
> way ?
> >> I know the crl_list can change each day, so if I have to restart
> >> opensips each day, it's not very practical.
> >>
> >> thanks in advance
> >>
> >> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <mickael at winlux.fr
> <mailto:mickael at winlux.fr> <mailto:mickael at winlux.fr <mailto:
> mickael at winlux.fr>> <mailto:mickael at winlux.fr <mailto:mickael at winlux.fr>
> <mailto:mickael at winlux.fr <mailto:mickael at winlux.fr>>>
> >> <mailto:mickael at winlux.fr <mailto:mickael at winlux.fr> <mailto:
> mickael at winlux.fr <mailto:mickael at winlux.fr>> <mailto:mickael at winlux.fr
> <mailto:mickael at winlux.fr> <mailto:mickael at winlux.fr <mailto:
> mickael at winlux.fr>>>>> a écrit :
> >>
> >> Hi Razvan,
> >> Thanks a lot.
> >> I loaded the CRL for CA and certs and opensips start correctly ;)
> >>
> >> Have a good day !
> >>
> >> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <razvan at opensips.org
> <mailto:razvan at opensips.org> <mailto:razvan at opensips.org <mailto:
> razvan at opensips.org>> <mailto:razvan at opensips.org <mailto:
> razvan at opensips.org> <mailto:razvan at opensips.org <mailto:
> razvan at opensips.org>>>
> >> <mailto:razvan at opensips.org <mailto:razvan at opensips.org> <mailto:
> razvan at opensips.org <mailto:razvan at opensips.org>> <mailto:
> razvan at opensips.org <mailto:razvan at opensips.org> <mailto:
> razvan at opensips.org <mailto:razvan at opensips.org>>>>> a écrit :
> >>
> >> Hi, Mickael!
> >>
> >> I don't have much experience with this, but a first search would
> >> point
> >> to this [1] answer, which seems reasonable to me: you need to
> >> provide
> >> the CRL of the entire path, not only of your intermediate cert.
> >> Did you
> >> try that?
> >>
> >> [1] https://stackoverflow.com/a/47398918 <
> https://stackoverflow.com/a/47398918> <
> https://stackoverflow.com/a/47398918> <
> https://stackoverflow.com/a/47398918>> <
> https://stackoverflow.com/a/47398918> <
> https://stackoverflow.com/a/47398918>> <
> https://stackoverflow.com/a/47398918>> <
> https://stackoverflow.com/a/47398918&gt;>>
> >> <https://stackoverflow.com/a/47398918> <
> https://stackoverflow.com/a/47398918>> <
> https://stackoverflow.com/a/47398918>> <
> https://stackoverflow.com/a/47398918&gt;>> <
> https://stackoverflow.com/a/47398918>> <
> https://stackoverflow.com/a/47398918&gt;>> <
> https://stackoverflow.com/a/47398918&gt;>> <
> https://stackoverflow.com/a/47398918&amp;gt;&gt;>>
> >>
> >> Best regards,
> >>
> >> Răzvan Crainea
> >> OpenSIPS Core Developer
> >> http://www.opensips-solutions.com <http://www.opensips-solutions.com> <
> http://www.opensips-solutions.com> <http://www.opensips-solutions.com>>
> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>>
> <http://www.opensips-solutions.com>> <http://www.opensips-solutions.com
> &gt;>>
> >> <http://www.opensips-solutions.com> <http://www.opensips-solutions.com>>
> <http://www.opensips-solutions.com>> <http://www.opensips-solutions.com&gt;>>
> <http://www.opensips-solutions.com>> <http://www.opensips-solutions.com&gt;>>
> <http://www.opensips-solutions.com&gt;>> <
> http://www.opensips-solutions.com&amp;gt;&gt;>>
> >>
> >> On 7/19/23 15:47, Mickael Hubert wrote:
> >>> Hi all,
> >>> I'm working on stir and shaken, and I want to include all
> >> revoked
> >>> certificates.
> >>> I my list in DER format, I use this command to transform it
> >> to PEM format:
> >>> openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >>>
> >>> there is no erreur, I can read pem format (crl.pem):
> >>> -----BEGIN X509 CRL-----
> >>> ....
> >>> -----END X509 CRL-----
> >>>
> >>> I configured opensips with this:
> >>> modparam("stir_shaken", "crl_list",
> >> "/etc/opensips/stir-shaken-ca/crl.pem")
> >>>
> >>> but I have an error:
> >>> ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> >> certificate
> >>> validation failed: unable to get certificate CRL
> >>> Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> >> certificate
> >>>
> >>> Can you tell me, what is exactly the correct format please ?
> >>>
> >>> Thanks in advance !
> >>> ++
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>>> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>>>>
> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>>
> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt;&gt
> ;>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>>> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>>>>
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>>
> >> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt;&gt
> ;>
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>>>
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>>
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>>>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org> <mailto:
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users> <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>>
> >
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users <
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20240521/37362438/attachment-0001.html>

More information about the Users mailing list