[OpenSIPS-Users] stir shaken verification
jjackson at aninetworks.net
Thu Jan 5 01:37:55 UTC 2023
We have a process that downloads the CA list from iconectiv nightly, decodes the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem
Here is the opensips modparam
#stir and shaken
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")
This is on opensips v3.1.11
From: Users <users-bounces at lists.opensips.org> on behalf of Marcin Groszek <marcin at voipplus.net>
Sent: Wednesday, January 4, 2023 6:12 PM
To: users at lists.opensips.org <users at lists.opensips.org>
Subject: [OpenSIPS-Users] stir shaken verification
Opensips version 3.1.5
I am having some issues with stir_shaken setup. I am sure this not an issue with the module, but me.
stir_shaken_auth works just fine and I am able to sign the calls, however I was unable to find any document how to use a ca file available for download at iconectiv/download-list as well as via API. They do come in as jwt file, but after little manipulation individual certificates can be extracted, and the first one is the root certificate; I think, and the rest are trusted STI-CA. I guess my question is how do I use this file or any other cert file as "ca_list" and/or "ca_dir" .
After weeks and hundreds attempts I was unsuccessful, and I was unable to locate any document explaining preparation/setup/steps to setup verification.
All I get is :
ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.
When I remove or replace "ca_list" file with something bogus opensips does not even start with errors:
ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken
I would really appreciate some guidance on this one.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users