[OpenSIPS-Users] stir shaken verification

Joseph Jackson jjackson at aninetworks.net
Thu Jan 5 01:37:55 UTC 2023 

Hi Marcin,

We have a process that downloads the CA list from iconectiv nightly,  decodes the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11


________________________________
From: Users <users-bounces at lists.opensips.org> on behalf of Marcin Groszek <marcin at voipplus.net>
Sent: Wednesday, January 4, 2023 6:12 PM
To: users at lists.opensips.org <users at lists.opensips.org>
Subject: [OpenSIPS-Users] stir shaken verification


Opensips version 3.1.5

I am having some issues with stir_shaken setup. I am sure this not an issue with the module, but me.

stir_shaken_auth works just fine and I am able to sign the calls, however I was unable to find any document how to use a ca file available for download at iconectiv/download-list as well as via API. They do come in as jwt file, but after little manipulation individual certificates can be extracted, and the first one is the root certificate; I think, and the rest are trusted STI-CA. I guess my question is how do I use this file or any other cert file as "ca_list" and/or "ca_dir" .

After weeks and hundreds attempts I was unsuccessful, and I was unable to locate any document explaining preparation/setup/steps to setup verification.

All I get is :

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.

When I remove or replace  "ca_list" file with something bogus opensips does not even start  with errors:

ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken

I would really appreciate some guidance on this one.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230105/035fffb3/attachment-0001.html>

More information about the Users mailing list