[OpenSIPS-Users] stir shaken verification

Jonathan Abrams ffshoh at gmail.com
Fri Jan 6 16:36:37 UTC 2023 

IIRC, the issue you were having with the validation failures on CentOS 7
was related to a shared library. OpenSSL I think.

-Jon Abrams


On Fri, Jan 6, 2023, 10:30 AM Marcin Groszek <marcin at voipplus.net> wrote:

> Thank you for all your help.
>
> My test opensips installation was on CentOS 7 and cert verification has
> been failing.
>
> The certificates are verifying with same opensips version 3.1.5 and same
> configuration on Oracle linux 8.6.
>
> Thank you again for all your answers and help.
>
>
> On 1/5/2023 5:24 PM, Marcin Groszek wrote:
>
> Yes it is, I sent it to xlog it  an it does.
> On 1/5/2023 4:45 PM, David Villasmil wrote:
>
> Is $var(cert) actually set? Print it out
>
> On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <marcin at voipplus.net> wrote:
>
>> Thank you very much. I have the same file, and verification is still
>> failing. Perhaps  my config:
>>
>>
>> $var(found) = cache_fetch("local", $identity(x5u), $var(cert));
>> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
>>     rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
>>     if ($rc<0 || $var(http_rc) != 200) {
>>         send_reply(436, "Bad Identity Info");
>>         exit;
>>     }
>>     cache_store("local", $identity(x5u), $var(cert), 60);
>> }
>>
>> stir_shaken_verify( "$var(cert)", $var(err_sip_code),
>> $var(err_sip_reason));
>> if ($rc < 0) {
>>     xlog("stir_shaken_verify() failed: $var(err_sip_code),
>> $var(err_sip_reason) \n");
>>     send_reply( $var(err_sip_code), $var(err_sip_reason));
>>     exit;
>> }
>>
>>
>> I figured this much:
>>
>> $var(cert) is a public certificate downloaded from $identity(x5u), if it
>> does not exists in local cache it gets pulled and stored,
>>
>> stir_shaken_check_cert("$var(cert)") is generating these errors:
>>
>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>> ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( because
>> the entry does not exists in local cashdb)
>>
>> this forces the download of the public cert from $identity(x5u) and store
>> in local cashdb
>>
>> second attempt does not generate this errors, however calls with deferent
>> identity header and url for public cert should generate same errors again
>> as the public cert from new url is not in local cashdb, but it is NOT
>> generating same error.
>>
>> Also, I have minimize cache_store  down to 1 second and after that second
>> call with same $identity(x5u) should generate same errors , but it is not.
>>
>> an example at shaken-not-stirred page have :
>>
>> rest_get( "$identity(x5u)", "$var(cert)",
>>         $var(ctype), $var(http_rc));
>>
>> but this fails a start-up with error ERROR:core:fix_cmd: Param [2]
>> expected to be a variable so I removed the double quotes from around
>> $var(cert) .
>>
>>
>>
>> On 1/5/2023 1:18 PM, Joseph Jackson wrote:
>>
>> Hi Marcin,
>>
>> I suspect you are correct that its how you are decoding the ca cert file
>> from iconectiv.
>>
>> attached is what we have currently and it works in our production
>> enviroment.
>>
>> If the maillist strips out that attachment let me know.  You can reach me
>> directly at jjackson at aninetworks.net
>>
>> Joseph
>>
>> ------------------------------
>> *From:* Users <users-bounces at lists.opensips.org>
>> <users-bounces at lists.opensips.org> on behalf of Marcin Groszek
>> <marcin at voipplus.net> <marcin at voipplus.net>
>> *Sent:* Thursday, January 5, 2023 10:16 AM
>> *To:* users at lists.opensips.org <users at lists.opensips.org>
>> <users at lists.opensips.org>
>> *Subject:* Re: [OpenSIPS-Users] stir shaken verification
>>
>>
>> Joseph, Thank you very much for your respond.
>>
>>
>> I have downloaded and apply new sti-ca file but certificate validation
>> fails.
>>
>> INFO:stir_shaken:verify_callback: certificate validation failed:
>> certificate signature failure
>> INFO:stir_shaken:w_stir_verify: Invalid certificate
>> DBG:core:comp_scriptvar: int 26 : -8 / 0
>> [1637] stir_shaken_verify() failed: 437, Unsupported Credential
>>
>>
>> Perhaps I am not processing the sti-ca file properly.
>>
>>
>> I am testing this with a valid token , in fact test calls are coming from
>> major cellular carrier in US and the verification fails.
>>
>> I can see curl download the public cert, storing it in local cache and
>> then attempt to verify, but it fails.
>>
>> Upon next call with same token, the public cert is pulled from local
>> cache and still fails.
>>
>>
>>
>>
>> On 1/4/2023 7:37 PM, Joseph Jackson wrote:
>>
>> Hi Marcin,
>>
>> We have a process that downloads the CA list from iconectiv nightly,
>> decodes the jwt and stores the certs in a single file in
>> /etc/ssl/sti-ca/sti-ca.pem
>>
>> Here is the opensips modparam
>>
>> #stir and shaken
>> loadmodule "stir_shaken.so"
>> modparam("stir_shaken", "verify_date_freshness", 300)
>> modparam("stir_shaken", "auth_date_freshness", 300)
>> modparam("stir_shaken", "e164_strict_mode", 0)
>> #list of root certs for stir / shaken verification
>> modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")
>>
>> This is on opensips v3.1.11
>>
>>
>> ------------------------------
>> *From:* Users <users-bounces at lists.opensips.org>
>> <users-bounces at lists.opensips.org> on behalf of Marcin Groszek
>> <marcin at voipplus.net> <marcin at voipplus.net>
>> *Sent:* Wednesday, January 4, 2023 6:12 PM
>> *To:* users at lists.opensips.org <users at lists.opensips.org>
>> <users at lists.opensips.org>
>> *Subject:* [OpenSIPS-Users] stir shaken verification
>>
>>
>> Opensips version 3.1.5
>>
>> I am having some issues with stir_shaken setup. I am sure this not an
>> issue with the module, but me.
>>
>> stir_shaken_auth works just fine and I am able to sign the calls, however
>> I was unable to find any document how to use a ca file available for
>> download at iconectiv/download-list as well as via API. They do come in as
>> jwt file, but after little manipulation individual certificates can be
>> extracted, and the first one is the root certificate; I think, and the rest
>> are trusted STI-CA. I guess my question is how do I use this file or any
>> other cert file as "ca_list" and/or "ca_dir" .
>>
>> After weeks and hundreds attempts I was unsuccessful, and I was unable to
>> locate any document explaining preparation/setup/steps to setup
>> verification.
>>
>> All I get is :
>>
>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>> ERROR:stir_shaken:w_stir_verify: Failed to load certificate
>> on INVITE with valid identity header.
>>
>> When I remove or replace  "ca_list" file with something bogus opensips
>> does not even start  with errors:
>>
>> ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
>> ERROR:core:init_mod: failed to initialize module stir_shaken
>>
>> I would really appreciate some guidance on this one.
>>
>>
>>
>> _______________________________________________
>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> --
>> Best Regards:
>> Marcin Groszek
>> Business Phone Servicehttps://www.voipplus.net
>>
>>
>> _______________________________________________
>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> --
>> Best Regards:
>> Marcin Groszek
>> Business Phone Servicehttps://www.voipplus.net
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> --
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> --
> Best Regards:
> Marcin Groszek
> Business Phone Servicehttps://www.voipplus.net
>
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> --
> Best Regards:
> Marcin Groszek
> Business Phone Servicehttps://www.voipplus.net
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230106/a0b2b07f/attachment-0001.html>

More information about the Users mailing list