<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thank you for all your help.</p>
<p>My test opensips installation was on CentOS 7 and cert
verification has been failing. <br>
</p>
<p>The certificates are verifying with same opensips version 3.1.5
and same configuration on Oracle linux 8.6.</p>
<p>Thank you again for all your answers and help.</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 1/5/2023 5:24 PM, Marcin Groszek
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:41d8146f-dca8-fca1-f6de-4cefbac2b58a@voipplus.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Yes it is, I sent it to xlog it an it does.</p>
<div class="moz-cite-prefix">On 1/5/2023 4:45 PM, David Villasmil
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFGRPVoW55LDTdY+UxEwR0moDCY-sS=JaW9usB897Ei4cF-j+g@mail.gmail.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="auto">Is <span
style="word-spacing:1px;color:rgb(49,49,49)">$var(cert)
actually set? Print it out</span></div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 5 Jan 2023 at
23:19, Marcin Groszek <<a
href="mailto:marcin@voipplus.net" moz-do-not-send="true">marcin@voipplus.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<p>Thank you very much. I have the same file, and
verification is still failing. Perhaps my config:</p>
<p><br>
</p>
<p>$var(found) = cache_fetch("local", $identity(x5u),
$var(cert));<br>
if (!$var(found) ||
!stir_shaken_check_cert("$var(cert)")) {<br>
rest_get( "$identity(x5u)", $var(cert),
$var(ctype), $var(http_rc));<br>
if ($rc<0 || $var(http_rc) != 200) {<br>
send_reply(436, "Bad Identity Info");<br>
exit;<br>
}<br>
cache_store("local", $identity(x5u), $var(cert),
60);<br>
}<br>
<br>
stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));<br>
if ($rc < 0) {<br>
xlog("stir_shaken_verify() failed:
$var(err_sip_code), $var(err_sip_reason) \n");<br>
send_reply( $var(err_sip_code),
$var(err_sip_reason));<br>
exit;<br>
}<br>
</p>
<p><br>
</p>
<p>I figured this much: <br>
</p>
<p>$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache
it gets pulled and stored,</p>
<p>stir_shaken_check_cert("$var(cert)") is generating
these errors:<br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse
certificate<br>
ERROR:stir_shaken:w_stir_check_cert: Failed to load
certificate ( because the entry does not exists in
local cashdb)</p>
<p>this forces the download of the public cert from
$identity(x5u) and store in local cashdb<br>
</p>
<p>second attempt does not generate this errors, however
calls with deferent identity header and url for public
cert should generate same errors again as the public
cert from new url is not in local cashdb, but it is
NOT generating same error.</p>
<p>Also, I have minimize cache_store down to 1 second
and after that second call with same $identity(x5u)
should generate same errors , but it is not.</p>
<p>an example at shaken-not-stirred page have : <br>
</p>
<pre style="font-family:monospace">rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));</pre>
<p>but this fails a start-up with error
ERROR:core:fix_cmd: Param [2] expected to be a
variable so I removed the double quotes from around
$var(cert) .</p>
</div>
<div>
<p><br>
</p>
<p><br>
</p>
<div>On 1/5/2023 1:18 PM, Joseph Jackson wrote:<br>
</div>
<blockquote type="cite">
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi
Marcin,</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">I
suspect you are correct that its how you are
decoding the ca cert file from iconectiv.</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
attached is what we have currently and it works in
our production enviroment.</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">If
the maillist strips out that attachment let me
know. You can reach me directly at <a
href="mailto:jjackson@aninetworks.net"
target="_blank"
style="font-family:Calibri,Arial,Helvetica,sans-serif"
moz-do-not-send="true">jjackson@aninetworks.net</a></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Joseph</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="m_7204651923108459797divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)"
face="Calibri, sans-serif"><b
style="font-family:Calibri,sans-serif">From:</b>
Users <a
href="mailto:users-bounces@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true"><users-bounces@lists.opensips.org></a>
on behalf of Marcin Groszek <a
href="mailto:marcin@voipplus.net"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true"><marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b>
Thursday, January 5, 2023 10:16 AM<br>
<b style="font-family:Calibri,sans-serif">To:</b>
<a href="mailto:users@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">users@lists.opensips.org</a>
<a href="mailto:users@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true"><users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b>
Re: [OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Joseph, Thank you very much for your respond.</p>
<p><br>
</p>
<p>I have downloaded and apply new sti-ca file but
certificate validation fails.</p>
<p>INFO:stir_shaken:verify_callback: certificate
validation failed: certificate signature failure<br>
INFO:stir_shaken:w_stir_verify: Invalid
certificate<br>
DBG:core:comp_scriptvar: int 26 : -8 / 0<br>
[1637] stir_shaken_verify() failed: 437,
Unsupported Credential</p>
<p><br>
</p>
<p>Perhaps I am not processing the sti-ca file
properly.</p>
<p><br>
</p>
<p>I am testing this with a valid token , in fact
test calls are coming from major cellular carrier
in US and the verification fails.</p>
<p>I can see curl download the public cert, storing
it in local cache and then attempt to verify, but
it fails.</p>
<p>Upon next call with same token, the public cert
is pulled from local cache and still fails.</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div>On 1/4/2023 7:37 PM, Joseph Jackson wrote:<br>
</div>
<blockquote type="cite">
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi
Marcin,</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">We
have a process that downloads the CA list from
iconectiv nightly, decodes the jwt and stores
the certs in a single file in
/etc/ssl/sti-ca/sti-ca.pem</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Here
is the opensips modparam</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">#stir
and shaken
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">loadmodule
"stir_shaken.so"</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"verify_date_freshness", 300)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"auth_date_freshness", 300)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"e164_strict_mode", 0)</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">#list
of root certs for stir / shaken verification</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"ca_list", "/etc/ssl/sti-ca/sti-ca.pem")</div>
<br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">This
is on opensips v3.1.11</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="m_7204651923108459797x_divRplyFwdMsg"
dir="ltr"><font
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)"
face="Calibri, sans-serif"><b
style="font-family:Calibri,sans-serif">From:</b>
Users <a
href="mailto:users-bounces@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">
<users-bounces@lists.opensips.org></a>
on behalf of Marcin Groszek <a
href="mailto:marcin@voipplus.net"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">
<marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b>
Wednesday, January 4, 2023 6:12 PM<br>
<b style="font-family:Calibri,sans-serif">To:</b>
<a href="mailto:users@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">
users@lists.opensips.org</a> <a
href="mailto:users@lists.opensips.org"
target="_blank"
style="font-family:Calibri,sans-serif"
moz-do-not-send="true">
<users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b>
[OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Opensips version 3.1.5<br>
</p>
<p>I am having some issues with stir_shaken
setup. I am sure this not an issue with the
module, but me.<br>
</p>
<p><code style="font-family:monospace">stir_shaken_auth
works just fine and I am able to sign the
calls, however I was unable to find any
document how to use a ca file available for
download at iconectiv/download-list as well
as via API. They do come in as jwt file, but
after little manipulation individual
certificates can be extracted, and the first
one is the root certificate; I think, and
the rest are trusted STI-CA. </code><code
style="font-family:monospace">I guess my
question is how do I use this file or any
other cert file as </code>"ca_list" and/or
"ca_dir" . <br>
</p>
<p>After weeks and hundreds attempts I was
unsuccessful, and I was unable to locate any
document explaining preparation/setup/steps to
setup verification.<br>
</p>
<p>All I get is : <br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse
certificate<br>
ERROR:stir_shaken:w_stir_verify: Failed to
load certificate<br>
on INVITE with valid identity header.<br>
</p>
<p>When I remove or replace "ca_list" file with
something bogus opensips does not even start
with errors:</p>
<p>ERROR:stir_shaken:init_cert_validation:
Failed to load trustefd CAs<br>
ERROR:core:init_mod: failed to initialize
module stir_shaken</p>
<p>I would really appreciate some guidance on
this one.</p>
<p><br>
</p>
<p><code style="font-family:monospace"></code></p>
<p><code style="font-family:monospace"></code></p>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" style="font-family:monospace" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" style="font-family:monospace" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" target="_blank" style="font-family:monospace" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" style="font-family:monospace" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" style="font-family:monospace" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" target="_blank" style="font-family:monospace" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a href="mailto:david.villasmil.work@gmail.com"
target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a class="moz-txt-link-freetext" href="https://www.voipplus.net" moz-do-not-send="true">https://www.voipplus.net</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a class="moz-txt-link-freetext" href="https://www.voipplus.net">https://www.voipplus.net</a></pre>
</body>
</html>