<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I was/am suspecting openssl library, but I refuse to dedicate any
more time to troubleshoot. It is quite easy to install new OS and
try it again, especially for test environment.<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 1/6/2023 10:36 AM, Jonathan Abrams
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAP9sNzHxuOifXStsEdicj+uYBz2JMhnsQ8rpdhz4QSWSm16RXg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">IIRC, the issue you were having with the
validation failures on CentOS 7 was related to a shared library.
OpenSSL I think.
<div dir="auto"><br>
</div>
<div dir="auto">-Jon Abrams</div>
<div dir="auto"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Jan 6, 2023, 10:30 AM
Marcin Groszek <<a href="mailto:marcin@voipplus.net"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">marcin@voipplus.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>Thank you for all your help.</p>
<p>My test opensips installation was on CentOS 7 and cert
verification has been failing. <br>
</p>
<p>The certificates are verifying with same opensips version
3.1.5 and same configuration on Oracle linux 8.6.</p>
<p>Thank you again for all your answers and help.</p>
<p><br>
</p>
<div>On 1/5/2023 5:24 PM, Marcin Groszek wrote:<br>
</div>
<blockquote type="cite">
<p>Yes it is, I sent it to xlog it an it does.</p>
<div>On 1/5/2023 4:45 PM, David Villasmil wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">Is <span
style="word-spacing:1px;color:rgb(49,49,49)">$var(cert)
actually set? Print it out</span></div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 5 Jan 2023
at 23:19, Marcin Groszek <<a
href="mailto:marcin@voipplus.net"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">marcin@voipplus.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<p>Thank you very much. I have the same file,
and verification is still failing. Perhaps my
config:</p>
<p><br>
</p>
<p>$var(found) = cache_fetch("local",
$identity(x5u), $var(cert));<br>
if (!$var(found) ||
!stir_shaken_check_cert("$var(cert)")) {<br>
rest_get( "$identity(x5u)", $var(cert),
$var(ctype), $var(http_rc));<br>
if ($rc<0 || $var(http_rc) != 200) {<br>
send_reply(436, "Bad Identity Info");<br>
exit;<br>
}<br>
cache_store("local", $identity(x5u),
$var(cert), 60);<br>
}<br>
<br>
stir_shaken_verify( "$var(cert)",
$var(err_sip_code), $var(err_sip_reason));<br>
if ($rc < 0) {<br>
xlog("stir_shaken_verify() failed:
$var(err_sip_code), $var(err_sip_reason) \n");<br>
send_reply( $var(err_sip_code),
$var(err_sip_reason));<br>
exit;<br>
}<br>
</p>
<p><br>
</p>
<p>I figured this much: <br>
</p>
<p>$var(cert) is a public certificate downloaded
from $identity(x5u), if it does not exists in
local cache it gets pulled and stored,</p>
<p>stir_shaken_check_cert("$var(cert)") is
generating these errors:<br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse
certificate<br>
ERROR:stir_shaken:w_stir_check_cert: Failed to
load certificate ( because the entry does not
exists in local cashdb)</p>
<p>this forces the download of the public cert
from $identity(x5u) and store in local cashdb<br>
</p>
<p>second attempt does not generate this errors,
however calls with deferent identity header
and url for public cert should generate same
errors again as the public cert from new url
is not in local cashdb, but it is NOT
generating same error.</p>
<p>Also, I have minimize cache_store down to 1
second and after that second call with same
$identity(x5u) should generate same errors ,
but it is not.</p>
<p>an example at shaken-not-stirred page have :
<br>
</p>
<pre style="font-family:monospace">rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));</pre>
<p>but this fails a start-up with error
ERROR:core:fix_cmd: Param [2] expected to be a
variable so I removed the double quotes from
around $var(cert) .</p>
</div>
<div>
<p><br>
</p>
<p><br>
</p>
<div>On 1/5/2023 1:18 PM, Joseph Jackson wrote:<br>
</div>
<blockquote type="cite">
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi
Marcin,</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">I
suspect you are correct that its how you
are decoding the ca cert file from
iconectiv.</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
attached is what we have currently and it
works in our production enviroment.</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">If
the maillist strips out that attachment
let me know. You can reach me directly at
<a href="mailto:jjackson@aninetworks.net"
style="font-family:Calibri,Arial,Helvetica,sans-serif" rel="noreferrer
noreferrer noreferrer" target="_blank"
moz-do-not-send="true">jjackson@aninetworks.net</a></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Joseph</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div
id="m_-6653987802911552254m_7673463380805764732m_-2651100793193987118m_7204651923108459797divRplyFwdMsg"
dir="ltr"><font
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)"
face="Calibri, sans-serif"><b
style="font-family:Calibri,sans-serif">From:</b>
Users <a
href="mailto:users-bounces@lists.opensips.org"
style="font-family:Calibri,sans-serif"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"><users-bounces@lists.opensips.org></a>
on behalf of Marcin Groszek <a
href="mailto:marcin@voipplus.net"
style="font-family:Calibri,sans-serif"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"><marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b>
Thursday, January 5, 2023 10:16 AM<br>
<b style="font-family:Calibri,sans-serif">To:</b>
<a href="mailto:users@lists.opensips.org"
style="font-family:Calibri,sans-serif"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">users@lists.opensips.org</a>
<a href="mailto:users@lists.opensips.org"
style="font-family:Calibri,sans-serif"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"><users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b>
Re: [OpenSIPS-Users] stir shaken
verification</font>
<div> </div>
</div>
<div>
<p>Joseph, Thank you very much for your
respond.</p>
<p><br>
</p>
<p>I have downloaded and apply new sti-ca
file but certificate validation fails.</p>
<p>INFO:stir_shaken:verify_callback:
certificate validation failed: certificate
signature failure<br>
INFO:stir_shaken:w_stir_verify: Invalid
certificate<br>
DBG:core:comp_scriptvar: int 26 : -8 / 0<br>
[1637] stir_shaken_verify() failed: 437,
Unsupported Credential</p>
<p><br>
</p>
<p>Perhaps I am not processing the sti-ca
file properly.</p>
<p><br>
</p>
<p>I am testing this with a valid token , in
fact test calls are coming from major
cellular carrier in US and the
verification fails.</p>
<p>I can see curl download the public cert,
storing it in local cache and then attempt
to verify, but it fails.</p>
<p>Upon next call with same token, the
public cert is pulled from local cache and
still fails.</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div>On 1/4/2023 7:37 PM, Joseph Jackson
wrote:<br>
</div>
<blockquote type="cite">
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi
Marcin,</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">We
have a process that downloads the CA
list from iconectiv nightly, decodes
the jwt and stores the certs in a
single file in
/etc/ssl/sti-ca/sti-ca.pem</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Here
is the opensips modparam</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">#stir
and shaken
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">loadmodule
"stir_shaken.so"</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"verify_date_freshness", 300)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"auth_date_freshness", 300)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"e164_strict_mode", 0)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">#list
of root certs for stir / shaken
verification</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"ca_list",
"/etc/ssl/sti-ca/sti-ca.pem")</div>
<br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">This
is on opensips v3.1.11</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div
id="m_-6653987802911552254m_7673463380805764732m_-2651100793193987118m_7204651923108459797x_divRplyFwdMsg"
dir="ltr"><font
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)"
face="Calibri, sans-serif"><b
style="font-family:Calibri,sans-serif">From:</b>
Users <a
href="mailto:users-bounces@lists.opensips.org"
style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer
noreferrer" target="_blank"
moz-do-not-send="true">
<users-bounces@lists.opensips.org></a>
on behalf of Marcin Groszek <a
href="mailto:marcin@voipplus.net"
style="font-family:Calibri,sans-serif"
rel="noreferrer noreferrer
noreferrer" target="_blank"
moz-do-not-send="true">
<marcin@voipplus.net></a><br>
<b
style="font-family:Calibri,sans-serif">Sent:</b>
Wednesday, January 4, 2023 6:12 PM<br>
<b
style="font-family:Calibri,sans-serif">To:</b>
<a
href="mailto:users@lists.opensips.org"
style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer
noreferrer" target="_blank"
moz-do-not-send="true">
users@lists.opensips.org</a> <a
href="mailto:users@lists.opensips.org"
style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer
noreferrer" target="_blank"
moz-do-not-send="true">
<users@lists.opensips.org></a><br>
<b
style="font-family:Calibri,sans-serif">Subject:</b>
[OpenSIPS-Users] stir shaken
verification</font>
<div> </div>
</div>
<div>
<p>Opensips version 3.1.5<br>
</p>
<p>I am having some issues with
stir_shaken setup. I am sure this not
an issue with the module, but me.<br>
</p>
<p><code style="font-family:monospace">stir_shaken_auth
works just fine and I am able to
sign the calls, however I was unable
to find any document how to use a ca
file available for download at
iconectiv/download-list as well as
via API. They do come in as jwt
file, but after little manipulation
individual certificates can be
extracted, and the first one is the
root certificate; I think, and the
rest are trusted STI-CA. </code><code
style="font-family:monospace">I
guess my question is how do I use
this file or any other cert file as
</code>"ca_list" and/or "ca_dir" . <br>
</p>
<p>After weeks and hundreds attempts I
was unsuccessful, and I was unable to
locate any document explaining
preparation/setup/steps to setup
verification.<br>
</p>
<p>All I get is : <br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed
to parse certificate<br>
ERROR:stir_shaken:w_stir_verify:
Failed to load certificate<br>
on INVITE with valid identity header.<br>
</p>
<p>When I remove or replace "ca_list"
file with something bogus opensips
does not even start with errors:</p>
<p>ERROR:stir_shaken:init_cert_validation:
Failed to load trustefd CAs<br>
ERROR:core:init_mod: failed to
initialize module stir_shaken</p>
<p>I would really appreciate some
guidance on this one.</p>
<p><br>
</p>
<p><code style="font-family:monospace"></code></p>
<p><code style="font-family:monospace"></code></p>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
rel="noreferrer noreferrer noreferrer
noreferrer" target="_blank"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr" data-smartmail="gmail_signature">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a
href="mailto:david.villasmil.work@gmail.com"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">https://www.voipplus.net</a></pre>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" rel="noreferrer noreferrer noreferrer" target="_blank" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" rel="noreferrer
noreferrer noreferrer" target="_blank"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
rel="noreferrer noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a class="moz-txt-link-freetext" href="https://www.voipplus.net">https://www.voipplus.net</a></pre>
</body>
</html>