<div dir="auto">Every day??? Does it CHANGE everyday? Maybe just check if it’s changed the reload only if it has. Seems very excessive to make that mandatory.</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 28 Jul 2023 at 15:46, Alain Bieuzent <<a href="mailto:alain.bieuzent@free.fr">alain.bieuzent@free.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">sorry I wrote nonsense (again...)<br>
In the French implementation of STIR/SHAKEN we must download certificate updates every day (only for crl_list).<br>
In stir_shaken module documentation , there is no explanation how to put crl_list in db.<br>
<br>
Regards<br>
<br>
<br>
Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>> au nom de <a href="mailto:alain.bieuzent@free.fr" target="_blank">alain.bieuzent@free.fr</a> <mailto:<a href="mailto:alain.bieuzent@free.fr" target="_blank">alain.bieuzent@free.fr</a>>> a écrit :<br>
<br>
<br>
Hi Razvan,<br>
<br>
<br>
I work on the same project as Mickael and we don't understand how the tls_mgm can help us in this case.<br>
In the French implementation of STIR/SHAKEN we must download certificate updates every day (ca_list and crl_list).<br>
How can these updates be considered in real time?<br>
<br>
<br>
Regards<br>
<br>
<br>
Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>>> au nom de <a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>>> a écrit :<br>
<br>
<br>
<br>
<br>
Hi, Mickael!<br>
<br>
<br>
<br>
<br>
The only way is to store certificates in database and reload the tls_mgm <br>
module (using tls_reload).<br>
<br>
<br>
<br>
<br>
Best regards,<br>
<br>
<br>
<br>
<br>
Răzvan Crainea<br>
OpenSIPS Core Developer / SIPhub CTO<br>
<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&gt;> / <a href="https://www.siphub.com" rel="noreferrer" target="_blank">https://www.siphub.com</a> <<a href="https://www.siphub.com" rel="noreferrer" target="_blank">https://www.siphub.com</a>> <<a href="https://www.siphub.com" rel="noreferrer" target="_blank">https://www.siphub.com</a>> <<a href="https://www.siphub.com" rel="noreferrer" target="_blank">https://www.siphub.com</a>&gt;><br>
<br>
<br>
<br>
<br>
On 7/26/23 16:38, Mickael Hubert wrote:<br>
> Hi Razvan,<br>
> another question about crl_list, when crl list changed, what is the best <br>
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?<br>
> I know the crl_list can change each day, so if I have to restart <br>
> opensips each day, it's not very practical.<br>
> <br>
> thanks in advance<br>
> <br>
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>>> <br>
> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>>>>> a écrit :<br>
> <br>
> Hi Razvan,<br>
> Thanks a lot.<br>
> I loaded the CRL for CA and certs and opensips start correctly ;)<br>
> <br>
> Have a good day !<br>
> <br>
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>><br>
> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>>>> a écrit :<br>
> <br>
> Hi, Mickael!<br>
> <br>
> I don't have much experience with this, but a first search would<br>
> point<br>
> to this [1] answer, which seems reasonable to me: you need to<br>
> provide<br>
> the CRL of the entire path, not only of your intermediate cert.<br>
> Did you<br>
> try that?<br>
> <br>
> [1] <a href="https://stackoverflow.com/a/47398918" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918</a> <<a href="https://stackoverflow.com/a/47398918" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918&gt" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918&gt</a>;><br>
> <<a href="https://stackoverflow.com/a/47398918" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918&gt" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918&gt</a>;> <<a href="https://stackoverflow.com/a/47398918&gt" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918&gt</a>;> <<a href="https://stackoverflow.com/a/47398918&amp;gt;&gt" rel="noreferrer" target="_blank">https://stackoverflow.com/a/47398918&amp;gt;&gt</a>;><br>
> <br>
> Best regards,<br>
> <br>
> Răzvan Crainea<br>
> OpenSIPS Core Developer<br>
> <a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&gt;><br>
> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&gt;> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&gt;> <<a href="http://www.opensips-solutions.com" rel="noreferrer" target="_blank">http://www.opensips-solutions.com</a>&amp;gt;&gt;><br>
> <br>
> On 7/19/23 15:47, Mickael Hubert wrote:<br>
> > Hi all,<br>
> > I'm working on stir and shaken, and I want to include all<br>
> revoked<br>
> > certificates.<br>
> > I my list in DER format, I use this command to transform it<br>
> to PEM format:<br>
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem<br>
> ><br>
> > there is no erreur, I can read pem format (crl.pem):<br>
> > -----BEGIN X509 CRL-----<br>
> > ....<br>
> > -----END X509 CRL-----<br>
> ><br>
> > I configured opensips with this:<br>
> > modparam("stir_shaken", "crl_list",<br>
> "/etc/opensips/stir-shaken-ca/crl.pem")<br>
> ><br>
> > but I have an error:<br>
> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:<br>
> certificate<br>
> > validation failed: unable to get certificate CRL<br>
> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid<br>
> certificate<br>
> ><br>
> > Can you tell me, what is exactly the correct format please ?<br>
> ><br>
> > Thanks in advance !<br>
> > ++<br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>>><br>
> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;><br>
> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt</a>;><br>
> <br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>>><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;><br>
> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt</a>;><br>
> <br>
> <br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt</a>;><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Regards,</div><div><br></div>David Villasmil<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div><div>phone: +34669448337</div></div></div>