
<div dir="auto">Every day??? Does it CHANGE everyday? Maybe just check if it’s changed the reload only if it has. Seems very excessive to make that mandatory.</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 28 Jul 2023 at 15:46, Alain Bieuzent <<a href="mailto:alain.bieuzent@free.fr">alain.bieuzent@free.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">sorry I wrote nonsense (again...)<br>

In the French implementation of STIR/SHAKEN we must download certificate updates every day (only for crl_list).<br>

In stir_shaken module documentation , there is no explanation how to put crl_list in db.<br>

<br>

Regards<br>

<br>

<br>

Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>> au nom de <a href="mailto:alain.bieuzent@free.fr" target="_blank">alain.bieuzent@free.fr</a> <mailto:<a href="mailto:alain.bieuzent@free.fr" target="_blank">alain.bieuzent@free.fr</a>>> a écrit :<br>

<br>

<br>

Hi Razvan,<br>

<br>

<br>

I work on the same project as Mickael and we don't understand how the tls_mgm can help us in this case.<br>

In the French implementation of STIR/SHAKEN we must download certificate updates every day (ca_list and crl_list).<br>

How can these updates be considered in real time?<br>

<br>

<br>

Regards<br>

<br>

<br>

Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>>> au nom de <a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>>> a écrit :<br>

<br>

<br>

<br>

<br>

Hi, Mickael!<br>

<br>

<br>

<br>

<br>

The only way is to store certificates in database and reload the tls_mgm <br>

module (using tls_reload).<br>

<br>

<br>

<br>

<br>

Best regards,<br>

<br>

<br>

<br>

<br>

Răzvan Crainea<br>

OpenSIPS Core Developer / SIPhub CTO<br>

<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&gt;> / <a href="https://www.siphub.com" rel="noreferrer" target="_blank">https://www.siphub.com</a> <<a href="https://www.siphub.com" rel="noreferrer" target="_blank">https://www.siphub.com</a>> <<a href="https://www.siphub.com" rel="noreferrer" target="_blank">https://www.siphub.com</a>> <<a href="https://www.siphub.com" rel="noreferrer" target="_blank">https://www.siphub.com</a>&gt;><br>

<br>

<br>

<br>

<br>

On 7/26/23 16:38, Mickael Hubert wrote:<br>

> Hi Razvan,<br>

> another question about crl_list, when crl list changed, what is the best <br>

> way to reload this list in OpenSIPS memory ? restart it ? or another way ?<br>

> I know the crl_list can change each day, so if I have to restart <br>

> opensips each day, it's not very practical.<br>

> <br>

> thanks in advance<br>

> <br>

> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>>> <br>

> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>>>>> a écrit :<br>

> <br>

> Hi Razvan,<br>

> Thanks a lot.<br>

> I loaded the CRL for CA and certs and opensips start correctly ;)<br>

> <br>

> Have a good day !<br>

> <br>

> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>><br>

> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>>>> a écrit :<br>

> <br>

> Hi, Mickael!<br>

> <br>

> I don't have much experience with this, but a first search would<br>

> point<br>

> to this [1] answer, which seems reasonable to me: you need to<br>

> provide<br>

> the CRL of the entire path, not only of your intermediate cert.<br>

> Did you<br>

> try that?<br>

> <br>

> [1] <a href="https://stackoverflow.com/a/47398918" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918</a> <<a href="https://stackoverflow.com/a/47398918" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918&gt" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918&gt</a>;><br>

> <<a href="https://stackoverflow.com/a/47398918" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918&gt" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918&gt</a>;> <<a href="https://stackoverflow.com/a/47398918&gt" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918&gt</a>;> <<a href="https://stackoverflow.com/a/47398918&amp;gt;&gt" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918&amp;gt;&gt</a>;><br>

> <br>

> Best regards,<br>

> <br>

> Răzvan Crainea<br>

> OpenSIPS Core Developer<br>

> <a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&gt;><br>

> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&gt;> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&gt;> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&amp;gt;&gt;><br>

> <br>

> On 7/19/23 15:47, Mickael Hubert wrote:<br>

> > Hi all,<br>

> > I'm working on stir and shaken, and I want to include all<br>

> revoked<br>

> > certificates.<br>

> > I my list in DER format, I use this command to transform it<br>

> to PEM format:<br>

> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem<br>

> ><br>

> > there is no erreur, I can read pem format (crl.pem):<br>

> > -----BEGIN X509 CRL-----<br>

> > ....<br>

> > -----END X509 CRL-----<br>

> ><br>

> > I configured opensips with this:<br>

> > modparam("stir_shaken", "crl_list",<br>

> "/etc/opensips/stir-shaken-ca/crl.pem")<br>

> ><br>

> > but I have an error:<br>

> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:<br>

> certificate<br>

> > validation failed: unable to get certificate CRL<br>

> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid<br>

> certificate<br>

> ><br>

> > Can you tell me, what is exactly the correct format please ?<br>

> ><br>

> > Thanks in advance !<br>

> > ++<br>

> ><br>

> > _______________________________________________<br>

> > Users mailing list<br>

> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>>><br>

> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;><br>

> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt</a>;><br>

> <br>

> _______________________________________________<br>

> Users mailing list<br>

> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>>><br>

> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;><br>

> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt</a>;><br>

> <br>

> <br>

> _______________________________________________<br>

> Users mailing list<br>

> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>

> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;><br>

<br>

<br>

<br>

<br>

_______________________________________________<br>

Users mailing list<br>

<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>

<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;><br>

<br>

<br>

<br>

<br>

<br>

<br>

<br>

<br>

<br>

<br>

_______________________________________________<br>

Users mailing list<br>

<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br>

<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>><br>

<br>

<br>

<br>

<br>

<br>

_______________________________________________<br>

Users mailing list<br>

<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>

<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>

</blockquote></div></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Regards,</div><div><br></div>David Villasmil<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div><div>phone: +34669448337</div></div></div>