<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.gmailsignatureprefix
{mso-style-name:gmail_signature_prefix;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=FR link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>Of course we will reload only there is a change ….<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>De : </span></b><span style='font-size:12.0pt;color:black'>Users <users-bounces@lists.opensips.org> au nom de David Villasmil <david.villasmil.work@gmail.com><br><b>Répondre à : </b>OpenSIPS users mailling list <users@lists.opensips.org><br><b>Date : </b>vendredi 28 juillet 2023 à 16:21<br><b>À : </b>OpenSIPS users mailling list <users@lists.opensips.org><br><b>Objet : </b>Re: [OpenSIPS-Users] Issue with stir and shaken crl_list<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Every day??? Does it CHANGE everyday? Maybe just check if it’s changed the reload only if it has. Seems very excessive to make that mandatory.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Fri, 28 Jul 2023 at 15:46, Alain Bieuzent <<a href="mailto:alain.bieuzent@free.fr">alain.bieuzent@free.fr</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal>sorry I wrote nonsense (again...)<br>In the French implementation of STIR/SHAKEN we must download certificate updates every day (only for crl_list).<br>In stir_shaken module documentation , there is no explanation how to put crl_list in db.<br><br>Regards<br><br><br>Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>> au nom de <a href="mailto:alain.bieuzent@free.fr" target="_blank">alain.bieuzent@free.fr</a> <mailto:<a href="mailto:alain.bieuzent@free.fr" target="_blank">alain.bieuzent@free.fr</a>>> a écrit :<br><br><br>Hi Razvan,<br><br><br>I work on the same project as Mickael and we don't understand how the tls_mgm can help us in this case.<br>In the French implementation of STIR/SHAKEN we must download certificate updates every day (ca_list and crl_list).<br>How can these updates be considered in real time?<br><br><br>Regards<br><br><br>Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a> <mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>>> au nom de <a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>>> a écrit :<br><br><br><br><br>Hi, Mickael!<br><br><br><br><br>The only way is to store certificates in database and reload the tls_mgm <br>module (using tls_reload).<br><br><br><br><br>Best regards,<br><br><br><br><br>Răzvan Crainea<br>OpenSIPS Core Developer / SIPhub CTO<br><a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>>> / <a href="https://www.siphub.com" target="_blank">https://www.siphub.com</a> <<a href="https://www.siphub.com" target="_blank">https://www.siphub.com</a>> <<a href="https://www.siphub.com" target="_blank">https://www.siphub.com</a>> <<a href="https://www.siphub.com" target="_blank">https://www.siphub.com</a>>><br><br><br><br><br>On 7/26/23 16:38, Mickael Hubert wrote:<br>> Hi Razvan,<br>> another question about crl_list, when crl list changed, what is the best <br>> way to reload this list in OpenSIPS memory ? restart it ? or another way ?<br>> I know the crl_list can change each day, so if I have to restart <br>> opensips each day, it's not very practical.<br>> <br>> thanks in advance<br>> <br>> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>>> <br>> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a> <mailto:<a href="mailto:mickael@winlux.fr" target="_blank">mickael@winlux.fr</a>>>>> a écrit :<br>> <br>> Hi Razvan,<br>> Thanks a lot.<br>> I loaded the CRL for CA and certs and opensips start correctly ;)<br>> <br>> Have a good day !<br>> <br>> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>><br>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a> <mailto:<a href="mailto:razvan@opensips.org" target="_blank">razvan@opensips.org</a>>>>> a écrit :<br>> <br>> Hi, Mickael!<br>> <br>> I don't have much experience with this, but a first search would<br>> point<br>> to this [1] answer, which seems reasonable to me: you need to<br>> provide<br>> the CRL of the entire path, not only of your intermediate cert.<br>> Did you<br>> try that?<br>> <br>> [1] <a href="https://stackoverflow.com/a/47398918" target="_blank">https://stackoverflow.com/a/47398918</a> <<a href="https://stackoverflow.com/a/47398918" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918>" target="_blank">https://stackoverflow.com/a/47398918></a>;><br>> <<a href="https://stackoverflow.com/a/47398918" target="_blank">https://stackoverflow.com/a/47398918</a>> <<a href="https://stackoverflow.com/a/47398918>" target="_blank">https://stackoverflow.com/a/47398918></a>;> <<a href="https://stackoverflow.com/a/47398918>" target="_blank">https://stackoverflow.com/a/47398918></a>;> <<a href="https://stackoverflow.com/a/47398918&gt;>" target="_blank">https://stackoverflow.com/a/47398918&gt;></a>;><br>> <br>> Best regards,<br>> <br>> Răzvan Crainea<br>> OpenSIPS Core Developer<br>> <a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>>><br>> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>>> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>>> <<a href="http://www.opensips-solutions.com" target="_blank">http://www.opensips-solutions.com</a>&gt;>><br>> <br>> On 7/19/23 15:47, Mickael Hubert wrote:<br>> > Hi all,<br>> > I'm working on stir and shaken, and I want to include all<br>> revoked<br>> > certificates.<br>> > I my list in DER format, I use this command to transform it<br>> to PEM format:<br>> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem<br>> ><br>> > there is no erreur, I can read pem format (crl.pem):<br>> > -----BEGIN X509 CRL-----<br>> > ....<br>> > -----END X509 CRL-----<br>> ><br>> > I configured opensips with this:<br>> > modparam("stir_shaken", "crl_list",<br>> "/etc/opensips/stir-shaken-ca/crl.pem")<br>> ><br>> > but I have an error:<br>> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:<br>> certificate<br>> > validation failed: unable to get certificate CRL<br>> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid<br>> certificate<br>> ><br>> > Can you tell me, what is exactly the correct format please ?<br>> ><br>> > Thanks in advance !<br>> > ++<br>> ><br>> > _______________________________________________<br>> > Users mailing list<br>> > <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>>><br>> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users></a>;><br>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users></a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users></a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;></a>;><br>> <br>> _______________________________________________<br>> Users mailing list<br>> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>>><br>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users></a>;><br>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users></a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users></a>;> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;></a>;><br>> <br>> <br>> _______________________________________________<br>> Users mailing list<br>> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users></a>;><br><br><br><br><br>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>>><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users>" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users></a>;><br><br><br><br><br><br><br><br><br><br><br>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a> <<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>><br><br><br><br><br><br>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><o:p></o:p></p></blockquote></div></div><p class=MsoNormal><span class=gmailsignatureprefix>-- </span><o:p></o:p></p><div><div><div><p class=MsoNormal>Regards,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>David Villasmil<o:p></o:p></p><div><p class=MsoNormal>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a><o:p></o:p></p></div><div><p class=MsoNormal>phone: +34669448337<o:p></o:p></p></div></div></div><p class=MsoNormal>_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users <o:p></o:p></p></div></body></html>