[OpenSIPS-Users] stir shaken verification
Marcin Groszek
marcin at voipplus.net
Fri Jan 6 16:47:08 UTC 2023
I was/am suspecting openssl library, but I refuse to dedicate any more
time to troubleshoot. It is quite easy to install new OS and try it
again, especially for test environment.
On 1/6/2023 10:36 AM, Jonathan Abrams wrote:
> IIRC, the issue you were having with the validation failures on CentOS
> 7 was related to a shared library. OpenSSL I think.
>
> -Jon Abrams
>
>
> On Fri, Jan 6, 2023, 10:30 AM Marcin Groszek <marcin at voipplus.net
> <mailto:marcin at voipplus.net>> wrote:
>
> Thank you for all your help.
>
> My test opensips installation was on CentOS 7 and cert
> verification has been failing.
>
> The certificates are verifying with same opensips version 3.1.5
> and same configuration on Oracle linux 8.6.
>
> Thank you again for all your answers and help.
>
>
> On 1/5/2023 5:24 PM, Marcin Groszek wrote:
>>
>> Yes it is, I sent it to xlog it an it does.
>>
>> On 1/5/2023 4:45 PM, David Villasmil wrote:
>>> Is $var(cert) actually set? Print it out
>>>
>>> On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <marcin at voipplus.net
>>> <mailto:marcin at voipplus.net>> wrote:
>>>
>>> Thank you very much. I have the same file, and verification
>>> is still failing. Perhaps my config:
>>>
>>>
>>> $var(found) = cache_fetch("local", $identity(x5u), $var(cert));
>>> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
>>> rest_get( "$identity(x5u)", $var(cert), $var(ctype),
>>> $var(http_rc));
>>> if ($rc<0 || $var(http_rc) != 200) {
>>> send_reply(436, "Bad Identity Info");
>>> exit;
>>> }
>>> cache_store("local", $identity(x5u), $var(cert), 60);
>>> }
>>>
>>> stir_shaken_verify( "$var(cert)", $var(err_sip_code),
>>> $var(err_sip_reason));
>>> if ($rc < 0) {
>>> xlog("stir_shaken_verify() failed: $var(err_sip_code),
>>> $var(err_sip_reason) \n");
>>> send_reply( $var(err_sip_code), $var(err_sip_reason));
>>> exit;
>>> }
>>>
>>>
>>> I figured this much:
>>>
>>> $var(cert) is a public certificate downloaded from
>>> $identity(x5u), if it does not exists in local cache it gets
>>> pulled and stored,
>>>
>>> stir_shaken_check_cert("$var(cert)") is generating these errors:
>>>
>>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>>> ERROR:stir_shaken:w_stir_check_cert: Failed to load
>>> certificate ( because the entry does not exists in local cashdb)
>>>
>>> this forces the download of the public cert from
>>> $identity(x5u) and store in local cashdb
>>>
>>> second attempt does not generate this errors, however calls
>>> with deferent identity header and url for public cert should
>>> generate same errors again as the public cert from new url
>>> is not in local cashdb, but it is NOT generating same error.
>>>
>>> Also, I have minimize cache_store down to 1 second and
>>> after that second call with same $identity(x5u) should
>>> generate same errors , but it is not.
>>>
>>> an example at shaken-not-stirred page have :
>>>
>>> rest_get( "$identity(x5u)", "$var(cert)",
>>> $var(ctype), $var(http_rc));
>>>
>>> but this fails a start-up with error ERROR:core:fix_cmd:
>>> Param [2] expected to be a variable so I removed the double
>>> quotes from around $var(cert) .
>>>
>>>
>>>
>>> On 1/5/2023 1:18 PM, Joseph Jackson wrote:
>>>> Hi Marcin,
>>>>
>>>> I suspect you are correct that its how you are decoding the
>>>> ca cert file from iconectiv.
>>>>
>>>> attached is what we have currently and it works in our
>>>> production enviroment.
>>>>
>>>> If the maillist strips out that attachment let me know.
>>>> You can reach me directly at jjackson at aninetworks.net
>>>> <mailto:jjackson at aninetworks.net>
>>>>
>>>> Joseph
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Users <users-bounces at lists.opensips.org>
>>>> <mailto:users-bounces at lists.opensips.org> on behalf of
>>>> Marcin Groszek <marcin at voipplus.net>
>>>> <mailto:marcin at voipplus.net>
>>>> *Sent:* Thursday, January 5, 2023 10:16 AM
>>>> *To:* users at lists.opensips.org
>>>> <mailto:users at lists.opensips.org>
>>>> <users at lists.opensips.org> <mailto:users at lists.opensips.org>
>>>> *Subject:* Re: [OpenSIPS-Users] stir shaken verification
>>>>
>>>> Joseph, Thank you very much for your respond.
>>>>
>>>>
>>>> I have downloaded and apply new sti-ca file but certificate
>>>> validation fails.
>>>>
>>>> INFO:stir_shaken:verify_callback: certificate validation
>>>> failed: certificate signature failure
>>>> INFO:stir_shaken:w_stir_verify: Invalid certificate
>>>> DBG:core:comp_scriptvar: int 26 : -8 / 0
>>>> [1637] stir_shaken_verify() failed: 437, Unsupported Credential
>>>>
>>>>
>>>> Perhaps I am not processing the sti-ca file properly.
>>>>
>>>>
>>>> I am testing this with a valid token , in fact test calls
>>>> are coming from major cellular carrier in US and the
>>>> verification fails.
>>>>
>>>> I can see curl download the public cert, storing it in
>>>> local cache and then attempt to verify, but it fails.
>>>>
>>>> Upon next call with same token, the public cert is pulled
>>>> from local cache and still fails.
>>>>
>>>>
>>>>
>>>>
>>>> On 1/4/2023 7:37 PM, Joseph Jackson wrote:
>>>>> Hi Marcin,
>>>>>
>>>>> We have a process that downloads the CA list from
>>>>> iconectiv nightly, decodes the jwt and stores the certs
>>>>> in a single file in /etc/ssl/sti-ca/sti-ca.pem
>>>>>
>>>>> Here is the opensips modparam
>>>>>
>>>>> #stir and shaken
>>>>> loadmodule "stir_shaken.so"
>>>>> modparam("stir_shaken", "verify_date_freshness", 300)
>>>>> modparam("stir_shaken", "auth_date_freshness", 300)
>>>>> modparam("stir_shaken", "e164_strict_mode", 0)
>>>>> #list of root certs for stir / shaken verification
>>>>> modparam("stir_shaken", "ca_list",
>>>>> "/etc/ssl/sti-ca/sti-ca.pem")
>>>>>
>>>>> This is on opensips v3.1.11
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> *From:* Users <users-bounces at lists.opensips.org>
>>>>> <mailto:users-bounces at lists.opensips.org> on behalf of
>>>>> Marcin Groszek <marcin at voipplus.net>
>>>>> <mailto:marcin at voipplus.net>
>>>>> *Sent:* Wednesday, January 4, 2023 6:12 PM
>>>>> *To:* users at lists.opensips.org
>>>>> <mailto:users at lists.opensips.org>
>>>>> <users at lists.opensips.org> <mailto:users at lists.opensips.org>
>>>>> *Subject:* [OpenSIPS-Users] stir shaken verification
>>>>>
>>>>> Opensips version 3.1.5
>>>>>
>>>>> I am having some issues with stir_shaken setup. I am sure
>>>>> this not an issue with the module, but me.
>>>>>
>>>>> |stir_shaken_auth works just fine and I am able to sign
>>>>> the calls, however I was unable to find any document how
>>>>> to use a ca file available for download at
>>>>> iconectiv/download-list as well as via API. They do come
>>>>> in as jwt file, but after little manipulation individual
>>>>> certificates can be extracted, and the first one is the
>>>>> root certificate; I think, and the rest are trusted
>>>>> STI-CA. ||I guess my question is how do I use this file or
>>>>> any other cert file as |"ca_list" and/or "ca_dir" .
>>>>>
>>>>> After weeks and hundreds attempts I was unsuccessful, and
>>>>> I was unable to locate any document explaining
>>>>> preparation/setup/steps to setup verification.
>>>>>
>>>>> All I get is :
>>>>>
>>>>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>>>>> ERROR:stir_shaken:w_stir_verify: Failed to load certificate
>>>>> on INVITE with valid identity header.
>>>>>
>>>>> When I remove or replace "ca_list" file with something
>>>>> bogus opensips does not even start with errors:
>>>>>
>>>>> ERROR:stir_shaken:init_cert_validation: Failed to load
>>>>> trustefd CAs
>>>>> ERROR:core:init_mod: failed to initialize module stir_shaken
>>>>>
>>>>> I would really appreciate some guidance on this one.
>>>>>
>>>>>
>>>>> ||
>>>>>
>>>>> ||
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>> --
>>>> Best Regards:
>>>> Marcin Groszek
>>>> Business Phone Service
>>>> https://www.voipplus.net
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>> --
>>> Best Regards:
>>> Marcin Groszek
>>> Business Phone Service
>>> https://www.voipplus.net
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>> --
>>> Regards,
>>>
>>> David Villasmil
>>> email: david.villasmil.work at gmail.com
>>> <mailto:david.villasmil.work at gmail.com>
>>> phone: +34669448337
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> --
>> Best Regards:
>> Marcin Groszek
>> Business Phone Service
>> https://www.voipplus.net
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> --
> Best Regards:
> Marcin Groszek
> Business Phone Service
> https://www.voipplus.net
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230106/0c92fa8d/attachment-0001.html>
More information about the Users
mailing list