<div dir="auto">IIRC, the issue you were having with the validation failures on CentOS 7 was related to a shared library. OpenSSL I think.<div dir="auto"><br></div><div dir="auto">-Jon Abrams</div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 6, 2023, 10:30 AM Marcin Groszek <<a href="mailto:marcin@voipplus.net" rel="noreferrer noreferrer" target="_blank">marcin@voipplus.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>Thank you for all your help.</p>
<p>My test opensips installation was on CentOS 7 and cert
verification has been failing. <br>
</p>
<p>The certificates are verifying with same opensips version 3.1.5
and same configuration on Oracle linux 8.6.</p>
<p>Thank you again for all your answers and help.</p>
<p><br>
</p>
<div>On 1/5/2023 5:24 PM, Marcin Groszek
wrote:<br>
</div>
<blockquote type="cite">
<p>Yes it is, I sent it to xlog it an it does.</p>
<div>On 1/5/2023 4:45 PM, David Villasmil
wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">Is <span style="word-spacing:1px;color:rgb(49,49,49)">$var(cert)
actually set? Print it out</span></div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 5 Jan 2023 at
23:19, Marcin Groszek <<a href="mailto:marcin@voipplus.net" rel="noreferrer noreferrer noreferrer" target="_blank">marcin@voipplus.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<p>Thank you very much. I have the same file, and
verification is still failing. Perhaps my config:</p>
<p><br>
</p>
<p>$var(found) = cache_fetch("local", $identity(x5u),
$var(cert));<br>
if (!$var(found) ||
!stir_shaken_check_cert("$var(cert)")) {<br>
rest_get( "$identity(x5u)", $var(cert),
$var(ctype), $var(http_rc));<br>
if ($rc<0 || $var(http_rc) != 200) {<br>
send_reply(436, "Bad Identity Info");<br>
exit;<br>
}<br>
cache_store("local", $identity(x5u), $var(cert),
60);<br>
}<br>
<br>
stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));<br>
if ($rc < 0) {<br>
xlog("stir_shaken_verify() failed:
$var(err_sip_code), $var(err_sip_reason) \n");<br>
send_reply( $var(err_sip_code),
$var(err_sip_reason));<br>
exit;<br>
}<br>
</p>
<p><br>
</p>
<p>I figured this much: <br>
</p>
<p>$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache
it gets pulled and stored,</p>
<p>stir_shaken_check_cert("$var(cert)") is generating
these errors:<br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse
certificate<br>
ERROR:stir_shaken:w_stir_check_cert: Failed to load
certificate ( because the entry does not exists in
local cashdb)</p>
<p>this forces the download of the public cert from
$identity(x5u) and store in local cashdb<br>
</p>
<p>second attempt does not generate this errors, however
calls with deferent identity header and url for public
cert should generate same errors again as the public
cert from new url is not in local cashdb, but it is
NOT generating same error.</p>
<p>Also, I have minimize cache_store down to 1 second
and after that second call with same $identity(x5u)
should generate same errors , but it is not.</p>
<p>an example at shaken-not-stirred page have : <br>
</p>
<pre style="font-family:monospace">rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));</pre>
<p>but this fails a start-up with error
ERROR:core:fix_cmd: Param [2] expected to be a
variable so I removed the double quotes from around
$var(cert) .</p>
</div>
<div>
<p><br>
</p>
<p><br>
</p>
<div>On 1/5/2023 1:18 PM, Joseph Jackson wrote:<br>
</div>
<blockquote type="cite">
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi
Marcin,</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">I
suspect you are correct that its how you are
decoding the ca cert file from iconectiv.</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
attached is what we have currently and it works in
our production enviroment.</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">If
the maillist strips out that attachment let me
know. You can reach me directly at <a href="mailto:jjackson@aninetworks.net" style="font-family:Calibri,Arial,Helvetica,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank">jjackson@aninetworks.net</a></span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Joseph</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="m_-6653987802911552254m_7673463380805764732m_-2651100793193987118m_7204651923108459797divRplyFwdMsg" dir="ltr"><font style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)" face="Calibri, sans-serif"><b style="font-family:Calibri,sans-serif">From:</b>
Users <a href="mailto:users-bounces@lists.opensips.org" style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank"><users-bounces@lists.opensips.org></a>
on behalf of Marcin Groszek <a href="mailto:marcin@voipplus.net" style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank"><marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b>
Thursday, January 5, 2023 10:16 AM<br>
<b style="font-family:Calibri,sans-serif">To:</b>
<a href="mailto:users@lists.opensips.org" style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank">users@lists.opensips.org</a>
<a href="mailto:users@lists.opensips.org" style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank"><users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b>
Re: [OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Joseph, Thank you very much for your respond.</p>
<p><br>
</p>
<p>I have downloaded and apply new sti-ca file but
certificate validation fails.</p>
<p>INFO:stir_shaken:verify_callback: certificate
validation failed: certificate signature failure<br>
INFO:stir_shaken:w_stir_verify: Invalid
certificate<br>
DBG:core:comp_scriptvar: int 26 : -8 / 0<br>
[1637] stir_shaken_verify() failed: 437,
Unsupported Credential</p>
<p><br>
</p>
<p>Perhaps I am not processing the sti-ca file
properly.</p>
<p><br>
</p>
<p>I am testing this with a valid token , in fact
test calls are coming from major cellular carrier
in US and the verification fails.</p>
<p>I can see curl download the public cert, storing
it in local cache and then attempt to verify, but
it fails.</p>
<p>Upon next call with same token, the public cert
is pulled from local cache and still fails.</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div>On 1/4/2023 7:37 PM, Joseph Jackson wrote:<br>
</div>
<blockquote type="cite">
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi
Marcin,</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">We
have a process that downloads the CA list from
iconectiv nightly, decodes the jwt and stores
the certs in a single file in
/etc/ssl/sti-ca/sti-ca.pem</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Here
is the opensips modparam</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">#stir
and shaken
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">loadmodule
"stir_shaken.so"</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"verify_date_freshness", 300)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"auth_date_freshness", 300)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"e164_strict_mode", 0)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">#list
of root certs for stir / shaken verification</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"ca_list", "/etc/ssl/sti-ca/sti-ca.pem")</div>
<br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">This
is on opensips v3.1.11</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="m_-6653987802911552254m_7673463380805764732m_-2651100793193987118m_7204651923108459797x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)" face="Calibri, sans-serif"><b style="font-family:Calibri,sans-serif">From:</b>
Users <a href="mailto:users-bounces@lists.opensips.org" style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank">
<users-bounces@lists.opensips.org></a>
on behalf of Marcin Groszek <a href="mailto:marcin@voipplus.net" style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank">
<marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b>
Wednesday, January 4, 2023 6:12 PM<br>
<b style="font-family:Calibri,sans-serif">To:</b>
<a href="mailto:users@lists.opensips.org" style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank">
users@lists.opensips.org</a> <a href="mailto:users@lists.opensips.org" style="font-family:Calibri,sans-serif" rel="noreferrer noreferrer noreferrer" target="_blank">
<users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b>
[OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Opensips version 3.1.5<br>
</p>
<p>I am having some issues with stir_shaken
setup. I am sure this not an issue with the
module, but me.<br>
</p>
<p><code style="font-family:monospace">stir_shaken_auth
works just fine and I am able to sign the
calls, however I was unable to find any
document how to use a ca file available for
download at iconectiv/download-list as well
as via API. They do come in as jwt file, but
after little manipulation individual
certificates can be extracted, and the first
one is the root certificate; I think, and
the rest are trusted STI-CA. </code><code style="font-family:monospace">I guess my
question is how do I use this file or any
other cert file as </code>"ca_list" and/or
"ca_dir" . <br>
</p>
<p>After weeks and hundreds attempts I was
unsuccessful, and I was unable to locate any
document explaining preparation/setup/steps to
setup verification.<br>
</p>
<p>All I get is : <br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse
certificate<br>
ERROR:stir_shaken:w_stir_verify: Failed to
load certificate<br>
on INVITE with valid identity header.<br>
</p>
<p>When I remove or replace "ca_list" file with
something bogus opensips does not even start
with errors:</p>
<p>ERROR:stir_shaken:init_cert_validation:
Failed to load trustefd CAs<br>
ERROR:core:init_mod: failed to initialize
module stir_shaken</p>
<p>I would really appreciate some guidance on
this one.</p>
<p><br>
</p>
<p><code style="font-family:monospace"></code></p>
<p><code style="font-family:monospace"></code></p>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.voipplus.net</a></pre>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" style="font-family:monospace" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.voipplus.net</a></pre>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" rel="noreferrer noreferrer noreferrer" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr" data-smartmail="gmail_signature">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a href="mailto:david.villasmil.work@gmail.com" rel="noreferrer noreferrer noreferrer" target="_blank">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" rel="noreferrer noreferrer noreferrer" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.voipplus.net</a></pre>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" rel="noreferrer noreferrer noreferrer" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.voipplus.net</a></pre>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" rel="noreferrer noreferrer noreferrer" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>