Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-28 Thread Alain Bieuzent 
Of course we will reload only there is a change ….

 

De : Users  au nom de David Villasmil 

Répondre à : OpenSIPS users mailling list 
Date : vendredi 28 juillet 2023 à 16:21
À : OpenSIPS users mailling list 
Objet : Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

 

Every day??? Does it CHANGE everyday? Maybe just check if it’s changed the 
reload only if it has. Seems very excessive to make that mandatory.

 

On Fri, 28 Jul 2023 at 15:46, Alain Bieuzent  wrote:

sorry I wrote nonsense (again...)
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (only for crl_list).
In stir_shaken module documentation , there is no explanation how to put 
crl_list in db.

Regards


Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » 
mailto:users-boun...@lists.opensips.org> au 
nom de alain.bieuz...@free.fr > a écrit :


Hi Razvan,


I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?


Regards


Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » 
mailto:users-boun...@lists.opensips.org> 
> au nom de raz...@opensips.org 
 >> a écrit :




Hi, Mickael!




The only way is to store certificates in database and reload the tls_mgm 
module (using tls_reload).




Best regards,




Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com  
  / 
https://www.siphub.com   





On 7/26/23 16:38, Mickael Hubert wrote:
> Hi Razvan,
> another question about crl_list, when crl list changed, what is the best 
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
> I know the crl_list can change each day, so if I have to restart 
> opensips each day, it's not very practical.
> 
> thanks in advance
> 
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert    > 
>  
>  
> Hi Razvan,
> Thanks a lot.
> I loaded the CRL for CA and certs and opensips start correctly ;)
> 
> Have a good day !
> 
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea    >
>  
>  
> Hi, Mickael!
> 
> I don't have much experience with this, but a first search would
> point
> to this [1] answer, which seems reasonable to me: you need to
> provide
> the CRL of the entire path, not only of your intermediate cert.
> Did you
> try that?
> 
> [1] https://stackoverflow.com/a/47398918 
>   
> 
>  
>  
>  
> 
> 
> Best regards,
> 
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com  
>  
>   
>  
> 
> 
> On 7/19/23 15:47, Mickael Hubert wrote:
> > Hi all,
> > I'm working on stir and shaken, and I want to include all
> revoked
> > certificates.
> > I my list in DER format, I use this command to transform it
> to PEM format:
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >
> > there is no erreur, I can read pem format (crl.pem):
> > -BEGIN X509 CRL-
> > 
> > -END X509 CRL-
> >
> > I configured opensips with this:
> > modparam("stir_shaken", "crl_list",
> "/etc/opensips/stir-shaken-ca/crl.pem")
> >
> > but I have an error:
> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> certificate
> > validation failed: unable to get certificate CRL
> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> certificate
> >
> > Can you tell me, what is exactly the correct format please ?
> >
> > Thanks in advance !
> > ++
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org  
> >

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-28 Thread David Villasmil 
Every day??? Does it CHANGE everyday? Maybe just check if it’s changed the
reload only if it has. Seems very excessive to make that mandatory.

On Fri, 28 Jul 2023 at 15:46, Alain Bieuzent  wrote:

> sorry I wrote nonsense (again...)
> In the French implementation of STIR/SHAKEN we must download certificate
> updates every day (only for crl_list).
> In stir_shaken module documentation , there is no explanation how to put
> crl_list in db.
>
> Regards
>
>
> Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <
> users-boun...@lists.opensips.org 
> au nom de alain.bieuz...@free.fr > a écrit
> :
>
>
> Hi Razvan,
>
>
> I work on the same project as Mickael and we don't understand how the
> tls_mgm can help us in this case.
> In the French implementation of STIR/SHAKEN we must download certificate
> updates every day (ca_list and crl_list).
> How can these updates be considered in real time?
>
>
> Regards
>
>
> Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <
> users-boun...@lists.opensips.org 
> > au nom de raz...@opensips.org  raz...@opensips.org> >> a écrit :
>
>
>
>
> Hi, Mickael!
>
>
>
>
> The only way is to store certificates in database and reload the tls_mgm
> module (using tls_reload).
>
>
>
>
> Best regards,
>
>
>
>
> Răzvan Crainea
> OpenSIPS Core Developer / SIPhub CTO
> http://www.opensips-solutions.com  <
> http://www.opensips-solutions.com> 
> / https://www.siphub.com  
> 
>
>
>
>
> On 7/26/23 16:38, Mickael Hubert wrote:
> > Hi Razvan,
> > another question about crl_list, when crl list changed, what is the best
> > way to reload this list in OpenSIPS memory ? restart it ? or another way
> ?
> > I know the crl_list can change each day, so if I have to restart
> > opensips each day, it's not very practical.
> >
> > thanks in advance
> >
> > Le mar. 25 juil. 2023 à 14:47, Mickael Hubert   >
> >   mick...@winlux.fr  >
> > Hi Razvan,
> > Thanks a lot.
> > I loaded the CRL for CA and certs and opensips start correctly ;)
> >
> > Have a good day !
> >
> > Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea   >
> >   raz...@opensips.org  >
> > Hi, Mickael!
> >
> > I don't have much experience with this, but a first search would
> > point
> > to this [1] answer, which seems reasonable to me: you need to
> > provide
> > the CRL of the entire path, not only of your intermediate cert.
> > Did you
> > try that?
> >
> > [1] https://stackoverflow.com/a/47398918 <
> https://stackoverflow.com/a/47398918> <
> https://stackoverflow.com/a/47398918> <
> https://stackoverflow.com/a/47398918;>
> >  <
> https://stackoverflow.com/a/47398918;> <
> https://stackoverflow.com/a/47398918;> <
> https://stackoverflow.com/a/47398918gt;;>
> >
> > Best regards,
> >
> > Răzvan Crainea
> > OpenSIPS Core Developer
> > http://www.opensips-solutions.com  <
> http://www.opensips-solutions.com> 
> >  
>   gt;>
> >
> > On 7/19/23 15:47, Mickael Hubert wrote:
> > > Hi all,
> > > I'm working on stir and shaken, and I want to include all
> > revoked
> > > certificates.
> > > I my list in DER format, I use this command to transform it
> > to PEM format:
> > > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> > >
> > > there is no erreur, I can read pem format (crl.pem):
> > > -BEGIN X509 CRL-
> > > 
> > > -END X509 CRL-
> > >
> > > I configured opensips with this:
> > > modparam("stir_shaken", "crl_list",
> > "/etc/opensips/stir-shaken-ca/crl.pem")
> > >
> > > but I have an error:
> > > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> > certificate
> > > validation failed: unable to get certificate CRL
> > > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> > certificate
> > >
> > > Can you tell me, what is exactly the correct format please ?
> > >
> > > Thanks in advance !
> > > ++
> > >
> > > ___
> > > Users mailing list
> > > Users@lists.opensips.org   Users@lists.opensips.org >  Users@lists.opensips.org

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-28 Thread Alain Bieuzent 
sorry I wrote nonsense (again...)
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (only for crl_list).
In stir_shaken module documentation , there is no explanation how to put 
crl_list in db.

Regards


Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » 
mailto:users-boun...@lists.opensips.org> au 
nom de alain.bieuz...@free.fr > a écrit :


Hi Razvan,


I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?


Regards


Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » 
mailto:users-boun...@lists.opensips.org> 
> au nom de raz...@opensips.org 
 >> a écrit :




Hi, Mickael!




The only way is to store certificates in database and reload the tls_mgm 
module (using tls_reload).




Best regards,




Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com  
  / 
https://www.siphub.com   





On 7/26/23 16:38, Mickael Hubert wrote:
> Hi Razvan,
> another question about crl_list, when crl list changed, what is the best 
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
> I know the crl_list can change each day, so if I have to restart 
> opensips each day, it's not very practical.
> 
> thanks in advance
> 
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert    > 
>  
>  
> Hi Razvan,
> Thanks a lot.
> I loaded the CRL for CA and certs and opensips start correctly ;)
> 
> Have a good day !
> 
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea    >
>  
>  
> Hi, Mickael!
> 
> I don't have much experience with this, but a first search would
> point
> to this [1] answer, which seems reasonable to me: you need to
> provide
> the CRL of the entire path, not only of your intermediate cert.
> Did you
> try that?
> 
> [1] https://stackoverflow.com/a/47398918 
>   
> 
>  
>  
>  
> 
> 
> Best regards,
> 
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com  
>  
>   
>  
> 
> 
> On 7/19/23 15:47, Mickael Hubert wrote:
> > Hi all,
> > I'm working on stir and shaken, and I want to include all
> revoked
> > certificates.
> > I my list in DER format, I use this command to transform it
> to PEM format:
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >
> > there is no erreur, I can read pem format (crl.pem):
> > -BEGIN X509 CRL-
> > 
> > -END X509 CRL-
> >
> > I configured opensips with this:
> > modparam("stir_shaken", "crl_list",
> "/etc/opensips/stir-shaken-ca/crl.pem")
> >
> > but I have an error:
> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> certificate
> > validation failed: unable to get certificate CRL
> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> certificate
> >
> > Can you tell me, what is exactly the correct format please ?
> >
> > Thanks in advance !
> > ++
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org  
> > > 
> >  
> > >>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
> >  
> >  
> > 
>

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-07-28 Thread Alain Bieuzent 
Hi Razvan,

I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?

Regards

Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » 
mailto:users-boun...@lists.opensips.org> au 
nom de raz...@opensips.org > a écrit :


Hi, Mickael!


The only way is to store certificates in database and reload the tls_mgm 
module (using tls_reload).


Best regards,


Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com  / 
https://www.siphub.com 


On 7/26/23 16:38, Mickael Hubert wrote:
> Hi Razvan,
> another question about crl_list, when crl list changed, what is the best 
> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
> I know the crl_list can change each day, so if I have to restart 
> opensips each day, it's not very practical.
> 
> thanks in advance
> 
> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert   
> >> a écrit :
> 
> Hi Razvan,
> Thanks a lot.
> I loaded the CRL for CA and certs and opensips start correctly ;)
> 
> Have a good day !
> 
> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea  
> >> a écrit :
> 
> Hi, Mickael!
> 
> I don't have much experience with this, but a first search would
> point
> to this [1] answer, which seems reasonable to me: you need to
> provide
> the CRL of the entire path, not only of your intermediate cert.
> Did you
> try that?
> 
> [1] https://stackoverflow.com/a/47398918 
> 
>  
> 
> 
> Best regards,
> 
> Răzvan Crainea
> OpenSIPS Core Developer
> http://www.opensips-solutions.com 
>  
> 
> On 7/19/23 15:47, Mickael Hubert wrote:
> > Hi all,
> > I'm working on stir and shaken, and I want to include all
> revoked
> > certificates.
> > I my list in DER format, I use this command to transform it
> to PEM format:
> > openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> >
> > there is no erreur, I can read pem format (crl.pem):
> > -BEGIN X509 CRL-
> > 
> > -END X509 CRL-
> >
> > I configured opensips with this:
> > modparam("stir_shaken", "crl_list",
> "/etc/opensips/stir-shaken-ca/crl.pem")
> >
> > but I have an error:
> > ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:
> certificate
> > validation failed: unable to get certificate CRL
> > Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid
> certificate
> >
> > Can you tell me, what is exactly the correct format please ?
> >
> > Thanks in advance !
> > ++
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org  
> > >
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
> > 
>  
> 
> 
> ___
> Users mailing list
> Users@lists.opensips.org  
> >
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
> 
>  
> 
> 
> 
> ___
> Users mailing list
> Users@lists.opensips.org 
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
> 


___
Users mailing list
Users@lists.opensips.org 
http://lists.opensips.org/cgi-bin/mailman/listinfo/users 






___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users