<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Yes it is, I sent it to xlog it an it does.</p>
<div class="moz-cite-prefix">On 1/5/2023 4:45 PM, David Villasmil
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFGRPVoW55LDTdY+UxEwR0moDCY-sS=JaW9usB897Ei4cF-j+g@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">Is <span
style="word-spacing:1px;color:rgb(49,49,49)">$var(cert)
actually set? Print it out</span></div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 5 Jan 2023 at 23:19,
Marcin Groszek <<a href="mailto:marcin@voipplus.net"
moz-do-not-send="true">marcin@voipplus.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<p>Thank you very much. I have the same file, and
verification is still failing. Perhaps my config:</p>
<p><br>
</p>
<p>$var(found) = cache_fetch("local", $identity(x5u),
$var(cert));<br>
if (!$var(found) ||
!stir_shaken_check_cert("$var(cert)")) {<br>
rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));<br>
if ($rc<0 || $var(http_rc) != 200) {<br>
send_reply(436, "Bad Identity Info");<br>
exit;<br>
}<br>
cache_store("local", $identity(x5u), $var(cert),
60);<br>
}<br>
<br>
stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));<br>
if ($rc < 0) {<br>
xlog("stir_shaken_verify() failed:
$var(err_sip_code), $var(err_sip_reason) \n");<br>
send_reply( $var(err_sip_code),
$var(err_sip_reason));<br>
exit;<br>
}<br>
</p>
<p><br>
</p>
<p>I figured this much: <br>
</p>
<p>$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache it
gets pulled and stored,</p>
<p>stir_shaken_check_cert("$var(cert)") is generating
these errors:<br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse
certificate<br>
ERROR:stir_shaken:w_stir_check_cert: Failed to load
certificate ( because the entry does not exists in local
cashdb)</p>
<p>this forces the download of the public cert from
$identity(x5u) and store in local cashdb<br>
</p>
<p>second attempt does not generate this errors, however
calls with deferent identity header and url for public
cert should generate same errors again as the public
cert from new url is not in local cashdb, but it is NOT
generating same error.</p>
<p>Also, I have minimize cache_store down to 1 second and
after that second call with same $identity(x5u) should
generate same errors , but it is not.</p>
<p>an example at shaken-not-stirred page have : <br>
</p>
<pre style="font-family:monospace">rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));</pre>
<p>but this fails a start-up with error
ERROR:core:fix_cmd: Param [2] expected to be a variable
so I removed the double quotes from around $var(cert) .</p>
</div>
<div>
<p><br>
</p>
<p><br>
</p>
<div>On 1/5/2023 1:18 PM, Joseph Jackson wrote:<br>
</div>
<blockquote type="cite">
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi
Marcin,</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">I
suspect you are correct that its how you are
decoding the ca cert file from iconectiv.</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
attached is what we have currently and it works in
our production enviroment.</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">If
the maillist strips out that attachment let me
know. You can reach me directly at <a
href="mailto:jjackson@aninetworks.net"
target="_blank"
style="font-family:Calibri,Arial,Helvetica,sans-serif"
moz-do-not-send="true">jjackson@aninetworks.net</a></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Joseph</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="m_7204651923108459797divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)"
face="Calibri, sans-serif"><b
style="font-family:Calibri,sans-serif">From:</b>
Users <a
href="mailto:users-bounces@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true"><users-bounces@lists.opensips.org></a>
on behalf of Marcin Groszek <a
href="mailto:marcin@voipplus.net" target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true"><marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b>
Thursday, January 5, 2023 10:16 AM<br>
<b style="font-family:Calibri,sans-serif">To:</b> <a
href="mailto:users@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">users@lists.opensips.org</a>
<a href="mailto:users@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true"><users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b>
Re: [OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Joseph, Thank you very much for your respond.</p>
<p><br>
</p>
<p>I have downloaded and apply new sti-ca file but
certificate validation fails.</p>
<p>INFO:stir_shaken:verify_callback: certificate
validation failed: certificate signature failure<br>
INFO:stir_shaken:w_stir_verify: Invalid certificate<br>
DBG:core:comp_scriptvar: int 26 : -8 / 0<br>
[1637] stir_shaken_verify() failed: 437, Unsupported
Credential</p>
<p><br>
</p>
<p>Perhaps I am not processing the sti-ca file
properly.</p>
<p><br>
</p>
<p>I am testing this with a valid token , in fact test
calls are coming from major cellular carrier in US
and the verification fails.</p>
<p>I can see curl download the public cert, storing it
in local cache and then attempt to verify, but it
fails.</p>
<p>Upon next call with same token, the public cert is
pulled from local cache and still fails.</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div>On 1/4/2023 7:37 PM, Joseph Jackson wrote:<br>
</div>
<blockquote type="cite">
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi
Marcin,</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">We
have a process that downloads the CA list from
iconectiv nightly, decodes the jwt and stores
the certs in a single file in
/etc/ssl/sti-ca/sti-ca.pem</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Here
is the opensips modparam</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">#stir
and shaken
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">loadmodule
"stir_shaken.so"</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"verify_date_freshness", 300)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"auth_date_freshness", 300)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"e164_strict_mode", 0)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">#list
of root certs for stir / shaken verification</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"ca_list", "/etc/ssl/sti-ca/sti-ca.pem")</div>
<br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">This
is on opensips v3.1.11</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="m_7204651923108459797x_divRplyFwdMsg"
dir="ltr"><font
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)"
face="Calibri, sans-serif"><b
style="font-family:Calibri,sans-serif">From:</b>
Users <a
href="mailto:users-bounces@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">
<users-bounces@lists.opensips.org></a>
on behalf of Marcin Groszek <a
href="mailto:marcin@voipplus.net"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">
<marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b>
Wednesday, January 4, 2023 6:12 PM<br>
<b style="font-family:Calibri,sans-serif">To:</b>
<a href="mailto:users@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">
users@lists.opensips.org</a> <a
href="mailto:users@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">
<users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b>
[OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Opensips version 3.1.5<br>
</p>
<p>I am having some issues with stir_shaken setup.
I am sure this not an issue with the module, but
me.<br>
</p>
<p><code style="font-family:monospace">stir_shaken_auth
works just fine and I am able to sign the
calls, however I was unable to find any
document how to use a ca file available for
download at iconectiv/download-list as well as
via API. They do come in as jwt file, but
after little manipulation individual
certificates can be extracted, and the first
one is the root certificate; I think, and the
rest are trusted STI-CA. </code><code
style="font-family:monospace">I guess my
question is how do I use this file or any
other cert file as </code>"ca_list" and/or
"ca_dir" . <br>
</p>
<p>After weeks and hundreds attempts I was
unsuccessful, and I was unable to locate any
document explaining preparation/setup/steps to
setup verification.<br>
</p>
<p>All I get is : <br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse
certificate<br>
ERROR:stir_shaken:w_stir_verify: Failed to load
certificate<br>
on INVITE with valid identity header.<br>
</p>
<p>When I remove or replace "ca_list" file with
something bogus opensips does not even start
with errors:</p>
<p>ERROR:stir_shaken:init_cert_validation: Failed
to load trustefd CAs<br>
ERROR:core:init_mod: failed to initialize module
stir_shaken</p>
<p>I would really appreciate some guidance on this
one.</p>
<p><br>
</p>
<p><code style="font-family:monospace"></code></p>
<p><code style="font-family:monospace"></code></p>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" style="font-family:monospace" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" style="font-family:monospace" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" target="_blank" style="font-family:monospace" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" style="font-family:monospace" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" style="font-family:monospace" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" target="_blank" style="font-family:monospace" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a href="mailto:david.villasmil.work@gmail.com"
target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a class="moz-txt-link-freetext" href="https://www.voipplus.net">https://www.voipplus.net</a></pre>
</body>
</html>