Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-08-01 Thread Alain Bieuzent 
Thaks Razvan, it's done

Le 01/08/2023 15:35, « Users au nom de Răzvan Crainea » 
mailto:users-boun...@lists.opensips.org> au 
nom de raz...@opensips.org > a écrit :


Hi, Alain!


You are actually right, it looks like the crl_list and ca_dir cannot be 
dynamic :(. Could you please open a feature request for this, so we can 
keep them right, perhaps change them to a tls_mgm domain?


Best regards,


Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com  / 
https://www.siphub.com 


On 7/28/23 16:45, Alain Bieuzent wrote:
> sorry I wrote nonsense (again...)
> In the French implementation of STIR/SHAKEN we must download certificate 
> updates every day (only for crl_list).
> In stir_shaken module documentation , there is no explanation how to put 
> crl_list in db.
> 
> Regards
> 
> 
> Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » 
> mailto:users-boun...@lists.opensips.org> 
>  > au nom de alain.bieuz...@free.fr 
>   >> a écrit :
> 
> 
> Hi Razvan,
> 
> 
> I work on the same project as Mickael and we don't understand how the tls_mgm 
> can help us in this case.
> In the French implementation of STIR/SHAKEN we must download certificate 
> updates every day (ca_list and crl_list).
> How can these updates be considered in real time?
> 
> 
> Regards
> 
> 
> Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » 
> mailto:users-boun...@lists.opensips.org> 
>  > 
>   
>  >> au nom de raz...@opensips.org 
>   >     
> 
> 
> 
> Hi, Mickael!
> 
> 
> 
> 
> The only way is to store certificates in database and reload the tls_mgm
> module (using tls_reload).
> 
> 
> 
> 
> Best regards,
> 
> 
> 
> 
> Răzvan Crainea
> OpenSIPS Core Developer / SIPhub CTO
> http://www.opensips-solutions.com  
>  ;> 
>  ;> 
> ;> 
> ;> / https://www.siphub.com 
>   
> ;>  
> ;> ;> 
> ;>
> 
> 
> 
> 
> On 7/26/23 16:38, Mickael Hubert wrote:
>> Hi Razvan,
>> another question about crl_list, when crl list changed, what is the best
>> way to reload this list in OpenSIPS memory ? restart it ? or another way ?
>> I know the crl_list can change each day, so if I have to restart
>> opensips each day, it's not very practical.
>>
>> thanks in advance
>>
>> Le mar. 25 juil. 2023 à 14:47, Mickael Hubert >  > > >  > >>
>>  
>> > 
>>  
>>  a écrit :
>>
>> Hi Razvan,
>> Thanks a lot.
>> I loaded the CRL for CA and certs and opensips start correctly ;)
>>
>> Have a good day !
>>
>> Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea >  > > >  > >>
>>  
>> > 
>>  
>>  a écrit :
>>
>> Hi, Mickael!
>>
>> I don't have much experience with this, but a first search would
>> point
>> to this [1] answer, which seems reasonable to me: you need to
>> provide
>> the CRL of the entire path, not only of your intermediate cert.
>> Did you
>> try that?
>>
>> [1] https://stackoverflow.com/a/47398918 
>>  
>>  
>> ;> 
>>  
>>

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

2023-08-01 Thread Răzvan Crainea 

Hi, Alain!

You are actually right, it looks like the crl_list and ca_dir cannot be 
dynamic :(. Could you please open a feature request for this, so we can 
keep them right, perhaps change them to a tls_mgm domain?


Best regards,

Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com / https://www.siphub.com

On 7/28/23 16:45, Alain Bieuzent wrote:

sorry I wrote nonsense (again...)
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (only for crl_list).
In stir_shaken module documentation , there is no explanation how to put 
crl_list in db.

Regards


Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » mailto:users-boun...@lists.opensips.org> au nom de alain.bieuz...@free.fr 
> a écrit :


Hi Razvan,


I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?


Regards


Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » mailto:users-boun...@lists.opensips.org> > au nom de raz...@opensips.org  
>> a écrit :




Hi, Mickael!




The only way is to store certificates in database and reload the tls_mgm
module (using tls_reload).




Best regards,




Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com   
;> / https://www.siphub.com  
 ;>




On 7/26/23 16:38, Mickael Hubert wrote:

Hi Razvan,
another question about crl_list, when crl list changed, what is the best
way to reload this list in OpenSIPS memory ? restart it ? or another way ?
I know the crl_list can change each day, so if I have to restart
opensips each day, it's not very practical.

thanks in advance

Le mar. 25 juil. 2023 à 14:47, Mickael Hubert mailto:mick...@winlux.fr> 
>
  >
  
 ;>
 ;> 
;> ;>

Best regards,

Răzvan Crainea
OpenSIPS Core Developer
http://www.opensips-solutions.com  
 ;>
 ;> 
;> ;>

On 7/19/23 15:47, Mickael Hubert wrote:

Hi all,
I'm working on stir and shaken, and I want to include all

revoked

certificates.
I my list in DER format, I use this command to transform it

to PEM format:

openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem

there is no erreur, I can read pem format (crl.pem):
-BEGIN X509 CRL-

-END X509 CRL-

I configured opensips with this:
modparam("stir_shaken", "crl_list",

"/etc/opensips/stir-shaken-ca/crl.pem")


but I have an error:
ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:

certificate

validation failed: unable to get certificate CRL
Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid

certificate


Can you tell me, what is exactly the correct format please ?

Thanks in advance !
++

___
Users mailing list
Users@lists.opensips.org  >  
>>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Dialog contact not updating until answer

2023-08-01 Thread Callum Guy 
Hi All,

I've observed a behaviour (OpenSIPs 3.2.4) where the contact stored
against an active dialog is not populated until the call is answered.

Using opensips-cli dlg_list I see the following:

Ringing - https://gist.github.com/spacetourist/2502f6b76a95bb2f500fda5291e1c93b
Answered - https://gist.github.com/spacetourist/81b9e19de14a04aeff7f1f7b8965e2e5

During ringing we have:
- "state": 2
- CALLEES > "callee_contact": "",

Once answered we have:
- "state": 4
- CALLEES > "callee_contact": "sip:b2o80qss@77.95.114.132:45656;transport=ws",

This is problematic for me as I'm working on a system to prevent
duplicate registrations from an AoR (sip:6190...@sk-1.rtc.sip.net)
whilst preventing other instances from overruling and taking ownership
of the session by blocking registrations from separate contacts when a
call is ongoing.

The exact scenario where I'm currently seeing errors is when an active
contact (i.e. sip:b2o80qss@77.95.114.132:45656;transport=ws) issues a
re-REGISTER during call setup. I use get_dialogs_by_profile() in
OpenSIPs to track sessions against the AoR and loop through any active
dialogs associated whenever a call or registration comes in. Using
this approach has allowed me to block other devices from creating a
second registration however the lookup is currently failing during the
ringing part of the session as the contact cannot be checked.

Is there a reason why callee_contact cannot be updated immediately
when the session begins? Is this to accommodate branching or similar?
I'll review alternative approaches whilst awaiting a reply however it
would be great if there was a path for me to solve this issue with my
current approach!

Thanks,

Callum

P.S. if this makes more sense as a Github issue then please let me
know, I'm not sure where is best to ask!

-- 






*0333 332   |  x-on.co.uk   |   ** 
    
   **  |  **Practice Index Reviews 
*

*Our new office address: 22 Riduna 
Park, Melton IP12 1QT.*

X-on
is a trading name of X-on Health Ltd a 
limited company registered in
England and Wales.

Registered Office : Glebe 
Farm, Down Street, Dummer, Basingstoke, Hampshire, England RG25 2AD. 
Company Registration No. 2578478.

The information in this e-mail is 
confidential and for use by the addressee(s)
only. If you are not the 
intended recipient, please notify X-on immediately on +44(0)333 332  
and delete the
message from your computer. If you are not a named addressee 
you must not use,
disclose, disseminate, distribute, copy, print or reply 
to this email. Views
or opinions expressed by an individual
within this 
email may not necessarily
reflect the views of X-on or its associated 
companies. Although X-on routinely
screens for viruses, addressees should 
scan this email and any attachments
for
viruses. X-on makes no 
representation or warranty as to the absence of viruses
in this email or 
any attachments.









___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users