Re: [OpenSIPS-Users] stir shaken verification

2023-01-30 Thread Marcin Groszek 
I was/am suspecting openssl library, but I refuse to dedicate any more 
time to troubleshoot. It is quite easy to install new OS and try it 
again, especially for test environment.



On 1/6/2023 10:36 AM, Jonathan Abrams wrote:
IIRC, the issue you were having with the validation failures on CentOS 
7 was related to a shared library. OpenSSL I think.


-Jon Abrams


On Fri, Jan 6, 2023, 10:30 AM Marcin Groszek <mailto:mar...@voipplus.net>> wrote:


Thank you for all your help.

My test opensips installation was on CentOS 7 and cert
verification has been failing.

The certificates are verifying with same opensips version 3.1.5
and same configuration on Oracle linux 8.6.

Thank you again for all your answers and help.


On 1/5/2023 5:24 PM, Marcin Groszek wrote:


Yes it is, I sent it to xlog it  an it does.

On 1/5/2023 4:45 PM, David Villasmil wrote:

Is $var(cert) actually set? Print it out

On Thu, 5 Jan 2023 at 23:19, Marcin Groszek mailto:mar...@voipplus.net>> wrote:

Thank you very much. I have the same file, and verification
is still failing. Perhaps  my config:


$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
    rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));
    if ($rc<0 || $var(http_rc) != 200) {
    send_reply(436, "Bad Identity Info");
    exit;
    }
    cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));
if ($rc < 0) {
    xlog("stir_shaken_verify() failed: $var(err_sip_code),
$var(err_sip_reason) \n");
    send_reply( $var(err_sip_code), $var(err_sip_reason));
    exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache it gets
pulled and stored,

stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load
certificate ( because the entry does not exists in local cashdb)

this forces the download of the public cert from
$identity(x5u) and store in local cashdb

second attempt does not generate this errors, however calls
with deferent identity header and url for public cert should
generate same errors again as the public cert from new url
is not in local cashdb, but it is NOT generating same error.

Also, I have minimize cache_store  down to 1 second and
after that second call with same $identity(x5u) should
generate same errors , but it is not.

an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
 $var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd:
Param [2] expected to be a variable so I removed the double
quotes from around $var(cert) .



On 1/5/2023 1:18 PM, Joseph Jackson wrote:

Hi Marcin,

I suspect you are correct that its how you are decoding the
ca cert file from iconectiv.

attached is what we have currently and it works in our
production enviroment.

If the maillist strips out that attachment let me know. 
You can reach me directly at jjack...@aninetworks.net
<mailto:jjack...@aninetworks.net>

Joseph


*From:* Users 
<mailto:users-boun...@lists.opensips.org> on behalf of
Marcin Groszek 
<mailto:mar...@voipplus.net>
*Sent:* Thursday, January 5, 2023 10:16 AM
*To:* users@lists.opensips.org
<mailto:users@lists.opensips.org>
 <mailto:users@lists.opensips.org>
*Subject:* Re: [OpenSIPS-Users] stir shaken verification

Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate
validation fails.

INFO:stir_shaken:verify_callback: certificate validation
failed: certificate signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls
are coming from major cellular carrier in US and the
verification fails

Re: [OpenSIPS-Users] stir shaken verification

2023-01-06 Thread Jonathan Abrams 
IIRC, the issue you were having with the validation failures on CentOS 7
was related to a shared library. OpenSSL I think.

-Jon Abrams


On Fri, Jan 6, 2023, 10:30 AM Marcin Groszek  wrote:

> Thank you for all your help.
>
> My test opensips installation was on CentOS 7 and cert verification has
> been failing.
>
> The certificates are verifying with same opensips version 3.1.5 and same
> configuration on Oracle linux 8.6.
>
> Thank you again for all your answers and help.
>
>
> On 1/5/2023 5:24 PM, Marcin Groszek wrote:
>
> Yes it is, I sent it to xlog it  an it does.
> On 1/5/2023 4:45 PM, David Villasmil wrote:
>
> Is $var(cert) actually set? Print it out
>
> On Thu, 5 Jan 2023 at 23:19, Marcin Groszek  wrote:
>
>> Thank you very much. I have the same file, and verification is still
>> failing. Perhaps  my config:
>>
>>
>> $var(found) = cache_fetch("local", $identity(x5u), $var(cert));
>> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
>> rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
>> if ($rc<0 || $var(http_rc) != 200) {
>> send_reply(436, "Bad Identity Info");
>> exit;
>> }
>> cache_store("local", $identity(x5u), $var(cert), 60);
>> }
>>
>> stir_shaken_verify( "$var(cert)", $var(err_sip_code),
>> $var(err_sip_reason));
>> if ($rc < 0) {
>> xlog("stir_shaken_verify() failed: $var(err_sip_code),
>> $var(err_sip_reason) \n");
>> send_reply( $var(err_sip_code), $var(err_sip_reason));
>> exit;
>> }
>>
>>
>> I figured this much:
>>
>> $var(cert) is a public certificate downloaded from $identity(x5u), if it
>> does not exists in local cache it gets pulled and stored,
>>
>> stir_shaken_check_cert("$var(cert)") is generating these errors:
>>
>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>> ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( because
>> the entry does not exists in local cashdb)
>>
>> this forces the download of the public cert from $identity(x5u) and store
>> in local cashdb
>>
>> second attempt does not generate this errors, however calls with deferent
>> identity header and url for public cert should generate same errors again
>> as the public cert from new url is not in local cashdb, but it is NOT
>> generating same error.
>>
>> Also, I have minimize cache_store  down to 1 second and after that second
>> call with same $identity(x5u) should generate same errors , but it is not.
>>
>> an example at shaken-not-stirred page have :
>>
>> rest_get( "$identity(x5u)", "$var(cert)",
>> $var(ctype), $var(http_rc));
>>
>> but this fails a start-up with error ERROR:core:fix_cmd: Param [2]
>> expected to be a variable so I removed the double quotes from around
>> $var(cert) .
>>
>>
>>
>> On 1/5/2023 1:18 PM, Joseph Jackson wrote:
>>
>> Hi Marcin,
>>
>> I suspect you are correct that its how you are decoding the ca cert file
>> from iconectiv.
>>
>> attached is what we have currently and it works in our production
>> enviroment.
>>
>> If the maillist strips out that attachment let me know.  You can reach me
>> directly at jjack...@aninetworks.net
>>
>> Joseph
>>
>> --
>> *From:* Users 
>>  on behalf of Marcin Groszek
>>  
>> *Sent:* Thursday, January 5, 2023 10:16 AM
>> *To:* users@lists.opensips.org 
>> 
>> *Subject:* Re: [OpenSIPS-Users] stir shaken verification
>>
>>
>> Joseph, Thank you very much for your respond.
>>
>>
>> I have downloaded and apply new sti-ca file but certificate validation
>> fails.
>>
>> INFO:stir_shaken:verify_callback: certificate validation failed:
>> certificate signature failure
>> INFO:stir_shaken:w_stir_verify: Invalid certificate
>> DBG:core:comp_scriptvar: int 26 : -8 / 0
>> [1637] stir_shaken_verify() failed: 437, Unsupported Credential
>>
>>
>> Perhaps I am not processing the sti-ca file properly.
>>
>>
>> I am testing this with a valid token , in fact test calls are coming from
>> major cellular carrier in US and the verification fails.
>>
>> I can see curl download the public cert, storing it in local cache and
>> then attempt to verify, but it fails.
>>
>> Upon next call with same token, the public cert is pulled from local
>> cache

Re: [OpenSIPS-Users] stir shaken verification

2023-01-06 Thread Marcin Groszek 

Thank you for all your help.

My test opensips installation was on CentOS 7 and cert verification has 
been failing.


The certificates are verifying with same opensips version 3.1.5 and same 
configuration on Oracle linux 8.6.


Thank you again for all your answers and help.


On 1/5/2023 5:24 PM, Marcin Groszek wrote:


Yes it is, I sent it to xlog it  an it does.

On 1/5/2023 4:45 PM, David Villasmil wrote:

Is $var(cert) actually set? Print it out

On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <mailto:mar...@voipplus.net>> wrote:


Thank you very much. I have the same file, and verification is
still failing. Perhaps  my config:


$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
    rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));
    if ($rc<0 || $var(http_rc) != 200) {
    send_reply(436, "Bad Identity Info");
    exit;
    }
    cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));
if ($rc < 0) {
    xlog("stir_shaken_verify() failed: $var(err_sip_code),
$var(err_sip_reason) \n");
    send_reply( $var(err_sip_code), $var(err_sip_reason));
    exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache it gets
pulled and stored,

stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate (
because the entry does not exists in local cashdb)

this forces the download of the public cert from $identity(x5u)
and store in local cashdb

second attempt does not generate this errors, however calls with
deferent identity header and url for public cert should generate
same errors again as the public cert from new url is not in local
cashdb, but it is NOT generating same error.

Also, I have minimize cache_store  down to 1 second and after
that second call with same $identity(x5u) should generate same
errors , but it is not.

an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
 $var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd: Param
[2] expected to be a variable so I removed the double quotes from
around $var(cert) .



On 1/5/2023 1:18 PM, Joseph Jackson wrote:

Hi Marcin,

I suspect you are correct that its how you are decoding the ca
cert file from iconectiv.

attached is what we have currently and it works in our
production enviroment.

If the maillist strips out that attachment let me know.  You can
reach me directly at jjack...@aninetworks.net
<mailto:jjack...@aninetworks.net>

Joseph


*From:* Users 
<mailto:users-boun...@lists.opensips.org> on behalf of Marcin
Groszek  <mailto:mar...@voipplus.net>
*Sent:* Thursday, January 5, 2023 10:16 AM
    *To:* users@lists.opensips.org <mailto:users@lists.opensips.org>
 <mailto:users@lists.opensips.org>
*Subject:* Re: [OpenSIPS-Users] stir shaken verification

Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate
validation fails.

INFO:stir_shaken:verify_callback: certificate validation failed:
certificate signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are
coming from major cellular carrier in US and the verification fails.

I can see curl download the public cert, storing it in local
cache and then attempt to verify, but it fails.

Upon next call with same token, the public cert is pulled from
local cache and still fails.




On 1/4/2023 7:37 PM, Joseph Jackson wrote:

Hi Marcin,

We have a process that downloads the CA list from iconectiv
nightly,  decodes the jwt and stores the certs in a single file
in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for st

Re: [OpenSIPS-Users] stir shaken verification

2023-01-05 Thread Marcin Groszek 

Yes it is, I sent it to xlog it  an it does.

On 1/5/2023 4:45 PM, David Villasmil wrote:

Is $var(cert) actually set? Print it out

On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <mailto:mar...@voipplus.net>> wrote:


Thank you very much. I have the same file, and verification is
still failing. Perhaps  my config:


$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
    rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));
    if ($rc<0 || $var(http_rc) != 200) {
    send_reply(436, "Bad Identity Info");
    exit;
    }
    cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));
if ($rc < 0) {
    xlog("stir_shaken_verify() failed: $var(err_sip_code),
$var(err_sip_reason) \n");
    send_reply( $var(err_sip_code), $var(err_sip_reason));
    exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from $identity(x5u),
if it does not exists in local cache it gets pulled and stored,

stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate (
because the entry does not exists in local cashdb)

this forces the download of the public cert from $identity(x5u)
and store in local cashdb

second attempt does not generate this errors, however calls with
deferent identity header and url for public cert should generate
same errors again as the public cert from new url is not in local
cashdb, but it is NOT generating same error.

Also, I have minimize cache_store  down to 1 second and after that
second call with same $identity(x5u) should generate same errors ,
but it is not.

an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
 $var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd: Param [2]
expected to be a variable so I removed the double quotes from
around $var(cert) .



On 1/5/2023 1:18 PM, Joseph Jackson wrote:

Hi Marcin,

I suspect you are correct that its how you are decoding the ca
cert file from iconectiv.

attached is what we have currently and it works in our production
enviroment.

If the maillist strips out that attachment let me know.  You can
reach me directly at jjack...@aninetworks.net
<mailto:jjack...@aninetworks.net>

Joseph


*From:* Users 
<mailto:users-boun...@lists.opensips.org> on behalf of Marcin
Groszek  <mailto:mar...@voipplus.net>
*Sent:* Thursday, January 5, 2023 10:16 AM
    *To:* users@lists.opensips.org <mailto:users@lists.opensips.org>
 <mailto:users@lists.opensips.org>
*Subject:* Re: [OpenSIPS-Users] stir shaken verification

Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate
validation fails.

INFO:stir_shaken:verify_callback: certificate validation failed:
certificate signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are
coming from major cellular carrier in US and the verification fails.

I can see curl download the public cert, storing it in local
cache and then attempt to verify, but it fails.

Upon next call with same token, the public cert is pulled from
local cache and still fails.




On 1/4/2023 7:37 PM, Joseph Jackson wrote:

Hi Marcin,

We have a process that downloads the CA list from iconectiv
nightly,  decodes the jwt and stores the certs in a single file
in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11



*From:* Users 
<mailto:users-boun...@lists.opensips.org> on behalf of Marcin

Re: [OpenSIPS-Users] stir shaken verification

2023-01-05 Thread Marcin Groszek 
in 3.1.5 when I try to use stir_shaken_check_cert($var(cert)) without 
double quotes it trows an error on first INVITE after restart:


ERROR:core:get_cmd_fixups: Variable in param [1] is not a string
ERROR:core:do_action: Failed to get fixups for command 



So I am using stir_shaken_check_cert("$var(cert)") , but it does not 
seam to make any deference.



I attempted your config for cert management, got certificate in xlog, 
but verification still fails.


I guess, I'll try to upgrade to 3.1.11


On 1/5/2023 4:40 PM, Joseph Jackson wrote:

We have it slightly different but otherwise close to yours

    cache_fetch("local", $identity(x5u), $var(cert));
    if (!stir_shaken_check_cert($var(cert))) {
xlog("--[$ci] STI Getting a fresh certificate, existing one doesn't 
exist or is invalid\n");


        $var(rc) = rest_get($identity(x5u), $var(cert));

        if ($var(rc) < 0) {
xlog("--[$ci] STI Failed to get the certificate\n");
send_reply(436, "Bad Identity Info");
            exit;
        }

xlog("--[$ci] STI got certificate[$var(cert)]\n");

cache_store("local", $identity(x5u), $var(cert));
    } else {

xlog("--[$ci] Using cached certificate\n");

    }



*From:* Users  on behalf of Marcin 
Groszek 

*Sent:* Thursday, January 5, 2023 4:19 PM
*To:* users@lists.opensips.org 
*Subject:* Re: [OpenSIPS-Users] stir shaken verification

Thank you very much. I have the same file, and verification is still 
failing. Perhaps  my config:



$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
    rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
    if ($rc<0 || $var(http_rc) != 200) {
    send_reply(436, "Bad Identity Info");
    exit;
    }
    cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code), 
$var(err_sip_reason));

if ($rc < 0) {
    xlog("stir_shaken_verify() failed: $var(err_sip_code), 
$var(err_sip_reason) \n");

    send_reply( $var(err_sip_code), $var(err_sip_reason));
    exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from $identity(x5u), if 
it does not exists in local cache it gets pulled and stored,


stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( 
because the entry does not exists in local cashdb)


this forces the download of the public cert from $identity(x5u) and 
store in local cashdb


second attempt does not generate this errors, however calls with 
deferent identity header and url for public cert should generate same 
errors again as the public cert from new url is not in local cashdb, 
but it is NOT generating same error.


Also, I have minimize cache_store  down to 1 second and after that 
second call with same $identity(x5u) should generate same errors , but 
it is not.


an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
 $var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd: Param [2] 
expected to be a variable so I removed the double quotes from around 
$var(cert) .




On 1/5/2023 1:18 PM, Joseph Jackson wrote:

Hi Marcin,

I suspect you are correct that its how you are decoding the ca cert 
file from iconectiv.


attached is what we have currently and it works in our production 
enviroment.


If the maillist strips out that attachment let me know.  You can 
reach me directly at jjack...@aninetworks.net 
<mailto:jjack...@aninetworks.net>


Joseph


*From:* Users  
<mailto:users-boun...@lists.opensips.org> on behalf of Marcin Groszek 
 <mailto:mar...@voipplus.net>

*Sent:* Thursday, January 5, 2023 10:16 AM
*To:* users@lists.opensips.org <mailto:users@lists.opensips.org> 
 <mailto:users@lists.opensips.org>

*Subject:* Re: [OpenSIPS-Users] stir shaken verification

Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate 
validation fails.


INFO:stir_shaken:verify_callback: certificate validation failed: 
certificate signature failure

INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are coming 
from major cellular carrier in US and the verification fails.


I can see curl download the public cert, storing it in local cache 
and then attempt to verify,

Re: [OpenSIPS-Users] stir shaken verification

2023-01-05 Thread David Villasmil 
Is $var(cert) actually set? Print it out

On Thu, 5 Jan 2023 at 23:19, Marcin Groszek  wrote:

> Thank you very much. I have the same file, and verification is still
> failing. Perhaps  my config:
>
>
> $var(found) = cache_fetch("local", $identity(x5u), $var(cert));
> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
> rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
> if ($rc<0 || $var(http_rc) != 200) {
> send_reply(436, "Bad Identity Info");
> exit;
> }
> cache_store("local", $identity(x5u), $var(cert), 60);
> }
>
> stir_shaken_verify( "$var(cert)", $var(err_sip_code),
> $var(err_sip_reason));
> if ($rc < 0) {
> xlog("stir_shaken_verify() failed: $var(err_sip_code),
> $var(err_sip_reason) \n");
> send_reply( $var(err_sip_code), $var(err_sip_reason));
> exit;
> }
>
>
> I figured this much:
>
> $var(cert) is a public certificate downloaded from $identity(x5u), if it
> does not exists in local cache it gets pulled and stored,
>
> stir_shaken_check_cert("$var(cert)") is generating these errors:
>
> ERROR:stir_shaken:load_cert: Failed to parse certificate
> ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( because
> the entry does not exists in local cashdb)
>
> this forces the download of the public cert from $identity(x5u) and store
> in local cashdb
>
> second attempt does not generate this errors, however calls with deferent
> identity header and url for public cert should generate same errors again
> as the public cert from new url is not in local cashdb, but it is NOT
> generating same error.
>
> Also, I have minimize cache_store  down to 1 second and after that second
> call with same $identity(x5u) should generate same errors , but it is not.
>
> an example at shaken-not-stirred page have :
>
> rest_get( "$identity(x5u)", "$var(cert)",
> $var(ctype), $var(http_rc));
>
> but this fails a start-up with error ERROR:core:fix_cmd: Param [2]
> expected to be a variable so I removed the double quotes from around
> $var(cert) .
>
>
>
> On 1/5/2023 1:18 PM, Joseph Jackson wrote:
>
> Hi Marcin,
>
> I suspect you are correct that its how you are decoding the ca cert file
> from iconectiv.
>
> attached is what we have currently and it works in our production
> enviroment.
>
> If the maillist strips out that attachment let me know.  You can reach me
> directly at jjack...@aninetworks.net
>
> Joseph
>
> --
> *From:* Users 
>  on behalf of Marcin Groszek
>  
> *Sent:* Thursday, January 5, 2023 10:16 AM
> *To:* users@lists.opensips.org 
> 
> *Subject:* Re: [OpenSIPS-Users] stir shaken verification
>
>
> Joseph, Thank you very much for your respond.
>
>
> I have downloaded and apply new sti-ca file but certificate validation
> fails.
>
> INFO:stir_shaken:verify_callback: certificate validation failed:
> certificate signature failure
> INFO:stir_shaken:w_stir_verify: Invalid certificate
> DBG:core:comp_scriptvar: int 26 : -8 / 0
> [1637] stir_shaken_verify() failed: 437, Unsupported Credential
>
>
> Perhaps I am not processing the sti-ca file properly.
>
>
> I am testing this with a valid token , in fact test calls are coming from
> major cellular carrier in US and the verification fails.
>
> I can see curl download the public cert, storing it in local cache and
> then attempt to verify, but it fails.
>
> Upon next call with same token, the public cert is pulled from local cache
> and still fails.
>
>
>
>
> On 1/4/2023 7:37 PM, Joseph Jackson wrote:
>
> Hi Marcin,
>
> We have a process that downloads the CA list from iconectiv nightly,
> decodes the jwt and stores the certs in a single file in
> /etc/ssl/sti-ca/sti-ca.pem
>
> Here is the opensips modparam
>
> #stir and shaken
> loadmodule "stir_shaken.so"
> modparam("stir_shaken", "verify_date_freshness", 300)
> modparam("stir_shaken", "auth_date_freshness", 300)
> modparam("stir_shaken", "e164_strict_mode", 0)
> #list of root certs for stir / shaken verification
> modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")
>
> This is on opensips v3.1.11
>
>
> --
> *From:* Users 
>  on behalf of Marcin Groszek
>  
> *Sent:* Wednesday, January 4, 2023 6:12 PM
> *To:* users@lists.opensips.org 
> 
> *Subject:* [OpenSIPS-Users] stir shaken verification
>
>
> Opensips version 3.1.5
>

Re: [OpenSIPS-Users] stir shaken verification

2023-01-05 Thread Joseph Jackson 
We have it slightly different but otherwise close to yours

cache_fetch("local", $identity(x5u), $var(cert));
if (!stir_shaken_check_cert($var(cert))) {
xlog("--[$ci] STI Getting a fresh certificate, existing one doesn't 
exist or is invalid\n");

$var(rc) = rest_get($identity(x5u), $var(cert));

if ($var(rc) < 0) {
xlog("--[$ci] STI Failed to get the certificate\n");
send_reply(436, "Bad Identity Info");
exit;
}

xlog("--[$ci] STI got certificate[$var(cert)]\n");

cache_store("local", $identity(x5u), $var(cert));
} else {

xlog("--[$ci] Using cached certificate\n");

}



From: Users  on behalf of Marcin Groszek 

Sent: Thursday, January 5, 2023 4:19 PM
To: users@lists.opensips.org 
Subject: Re: [OpenSIPS-Users] stir shaken verification


Thank you very much. I have the same file, and verification is still failing. 
Perhaps  my config:


$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
if ($rc<0 || $var(http_rc) != 200) {
send_reply(436, "Bad Identity Info");
exit;
}
cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code), $var(err_sip_reason));
if ($rc < 0) {
xlog("stir_shaken_verify() failed: $var(err_sip_code), $var(err_sip_reason) 
\n");
send_reply( $var(err_sip_code), $var(err_sip_reason));
exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from $identity(x5u), if it does 
not exists in local cache it gets pulled and stored,

stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( because the 
entry does not exists in local cashdb)

this forces the download of the public cert from $identity(x5u) and store in 
local cashdb

second attempt does not generate this errors, however calls with deferent 
identity header and url for public cert should generate same errors again as 
the public cert from new url is not in local cashdb, but it is NOT generating 
same error.

Also, I have minimize cache_store  down to 1 second and after that second call 
with same $identity(x5u) should generate same errors , but it is not.

an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd: Param [2] expected to 
be a variable so I removed the double quotes from around $var(cert) .



On 1/5/2023 1:18 PM, Joseph Jackson wrote:
Hi Marcin,

I suspect you are correct that its how you are decoding the ca cert file from 
iconectiv.

attached is what we have currently and it works in our production enviroment.

If the maillist strips out that attachment let me know.  You can reach me 
directly at jjack...@aninetworks.net<mailto:jjack...@aninetworks.net>

Joseph


From: Users 
<mailto:users-boun...@lists.opensips.org> on 
behalf of Marcin Groszek <mailto:mar...@voipplus.net>
Sent: Thursday, January 5, 2023 10:16 AM
To: users@lists.opensips.org<mailto:users@lists.opensips.org> 
<mailto:users@lists.opensips.org>
Subject: Re: [OpenSIPS-Users] stir shaken verification


Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate validation fails.

INFO:stir_shaken:verify_callback: certificate validation failed: certificate 
signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are coming from major 
cellular carrier in US and the verification fails.

I can see curl download the public cert, storing it in local cache and then 
attempt to verify, but it fails.

Upon next call with same token, the public cert is pulled from local cache and 
still fails.




On 1/4/2023 7:37 PM, Joseph Jackson wrote:
Hi Marcin,

We have a process that downloads the CA list from iconectiv nightly,  decodes 
the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode",

Re: [OpenSIPS-Users] stir shaken verification

2023-01-05 Thread Marcin Groszek 
Thank you very much. I have the same file, and verification is still 
failing. Perhaps  my config:



$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
    rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
    if ($rc<0 || $var(http_rc) != 200) {
    send_reply(436, "Bad Identity Info");
    exit;
    }
    cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code), $var(err_sip_reason));
if ($rc < 0) {
    xlog("stir_shaken_verify() failed: $var(err_sip_code), 
$var(err_sip_reason) \n");

    send_reply( $var(err_sip_code), $var(err_sip_reason));
    exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from $identity(x5u), if it 
does not exists in local cache it gets pulled and stored,


stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( 
because the entry does not exists in local cashdb)


this forces the download of the public cert from $identity(x5u) and 
store in local cashdb


second attempt does not generate this errors, however calls with 
deferent identity header and url for public cert should generate same 
errors again as the public cert from new url is not in local cashdb, but 
it is NOT generating same error.


Also, I have minimize cache_store  down to 1 second and after that 
second call with same $identity(x5u) should generate same errors , but 
it is not.


an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd: Param [2] 
expected to be a variable so I removed the double quotes from around 
$var(cert) .




On 1/5/2023 1:18 PM, Joseph Jackson wrote:

Hi Marcin,

I suspect you are correct that its how you are decoding the ca cert 
file from iconectiv.


attached is what we have currently and it works in our production 
enviroment.


If the maillist strips out that attachment let me know.  You can reach 
me directly at jjack...@aninetworks.net


Joseph


*From:* Users  on behalf of Marcin 
Groszek 

*Sent:* Thursday, January 5, 2023 10:16 AM
*To:* users@lists.opensips.org 
*Subject:* Re: [OpenSIPS-Users] stir shaken verification

Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate validation 
fails.


INFO:stir_shaken:verify_callback: certificate validation failed: 
certificate signature failure

INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are coming 
from major cellular carrier in US and the verification fails.


I can see curl download the public cert, storing it in local cache and 
then attempt to verify, but it fails.


Upon next call with same token, the public cert is pulled from local 
cache and still fails.





On 1/4/2023 7:37 PM, Joseph Jackson wrote:

Hi Marcin,

We have a process that downloads the CA list from iconectiv nightly,  
decodes the jwt and stores the certs in a single file in 
/etc/ssl/sti-ca/sti-ca.pem


Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11



*From:* Users  
<mailto:users-boun...@lists.opensips.org> on behalf of Marcin Groszek 
 <mailto:mar...@voipplus.net>

*Sent:* Wednesday, January 4, 2023 6:12 PM
*To:* users@lists.opensips.org <mailto:users@lists.opensips.org> 
 <mailto:users@lists.opensips.org>

*Subject:* [OpenSIPS-Users] stir shaken verification

Opensips version 3.1.5

I am having some issues with stir_shaken setup. I am sure this not an 
issue with the module, but me.


|stir_shaken_auth works just fine and I am able to sign the calls, 
however I was unable to find any document how to use a ca file 
available for download at iconectiv/download-list as well as via API. 
They do come in as jwt file, but after little manipulation individual 
certificates can be extracted, and the first one is the root 
certificate; I think, and the rest ar

Re: [OpenSIPS-Users] stir shaken verification

2023-01-05 Thread Joseph Jackson 
Hi Marcin,

I suspect you are correct that its how you are decoding the ca cert file from 
iconectiv.

attached is what we have currently and it works in our production enviroment.

If the maillist strips out that attachment let me know.  You can reach me 
directly at jjack...@aninetworks.net

Joseph


From: Users  on behalf of Marcin Groszek 

Sent: Thursday, January 5, 2023 10:16 AM
To: users@lists.opensips.org 
Subject: Re: [OpenSIPS-Users] stir shaken verification


Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate validation fails.

INFO:stir_shaken:verify_callback: certificate validation failed: certificate 
signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are coming from major 
cellular carrier in US and the verification fails.

I can see curl download the public cert, storing it in local cache and then 
attempt to verify, but it fails.

Upon next call with same token, the public cert is pulled from local cache and 
still fails.




On 1/4/2023 7:37 PM, Joseph Jackson wrote:
Hi Marcin,

We have a process that downloads the CA list from iconectiv nightly,  decodes 
the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11



From: Users 
<mailto:users-boun...@lists.opensips.org> on 
behalf of Marcin Groszek <mailto:mar...@voipplus.net>
Sent: Wednesday, January 4, 2023 6:12 PM
To: users@lists.opensips.org<mailto:users@lists.opensips.org> 
<mailto:users@lists.opensips.org>
Subject: [OpenSIPS-Users] stir shaken verification


Opensips version 3.1.5

I am having some issues with stir_shaken setup. I am sure this not an issue 
with the module, but me.

stir_shaken_auth works just fine and I am able to sign the calls, however I was 
unable to find any document how to use a ca file available for download at 
iconectiv/download-list as well as via API. They do come in as jwt file, but 
after little manipulation individual certificates can be extracted, and the 
first one is the root certificate; I think, and the rest are trusted STI-CA. I 
guess my question is how do I use this file or any other cert file as "ca_list" 
and/or "ca_dir" .

After weeks and hundreds attempts I was unsuccessful, and I was unable to 
locate any document explaining preparation/setup/steps to setup verification.

All I get is :

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.

When I remove or replace  "ca_list" file with something bogus opensips does not 
even start  with errors:

ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken

I would really appreciate some guidance on this one.




___
Users mailing list
Users@lists.opensips.org<mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net


sti-ca.pem
Description: sti-ca.pem
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] stir shaken verification

2023-01-05 Thread Marcin Groszek 

Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate validation 
fails.


INFO:stir_shaken:verify_callback: certificate validation failed: 
certificate signature failure

INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are coming 
from major cellular carrier in US and the verification fails.


I can see curl download the public cert, storing it in local cache and 
then attempt to verify, but it fails.


Upon next call with same token, the public cert is pulled from local 
cache and still fails.





On 1/4/2023 7:37 PM, Joseph Jackson wrote:

Hi Marcin,

We have a process that downloads the CA list from iconectiv nightly, 
decodes the jwt and stores the certs in a single file in 
/etc/ssl/sti-ca/sti-ca.pem


Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11



*From:* Users  on behalf of Marcin 
Groszek 

*Sent:* Wednesday, January 4, 2023 6:12 PM
*To:* users@lists.opensips.org 
*Subject:* [OpenSIPS-Users] stir shaken verification

Opensips version 3.1.5

I am having some issues with stir_shaken setup. I am sure this not an 
issue with the module, but me.


|stir_shaken_auth works just fine and I am able to sign the calls, 
however I was unable to find any document how to use a ca file 
available for download at iconectiv/download-list as well as via API. 
They do come in as jwt file, but after little manipulation individual 
certificates can be extracted, and the first one is the root 
certificate; I think, and the rest are trusted STI-CA. ||I guess my 
question is how do I use this file or any other cert file as 
|"ca_list" and/or "ca_dir" .


After weeks and hundreds attempts I was unsuccessful, and I was unable 
to locate any document explaining preparation/setup/steps to setup 
verification.


All I get is :

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.

When I remove or replace  "ca_list" file with something bogus opensips 
does not even start  with errors:


ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken

I would really appreciate some guidance on this one.


||

||


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] stir shaken verification

2023-01-04 Thread Joseph Jackson 
Hi Marcin,

We have a process that downloads the CA list from iconectiv nightly,  decodes 
the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11



From: Users  on behalf of Marcin Groszek 

Sent: Wednesday, January 4, 2023 6:12 PM
To: users@lists.opensips.org 
Subject: [OpenSIPS-Users] stir shaken verification


Opensips version 3.1.5

I am having some issues with stir_shaken setup. I am sure this not an issue 
with the module, but me.

stir_shaken_auth works just fine and I am able to sign the calls, however I was 
unable to find any document how to use a ca file available for download at 
iconectiv/download-list as well as via API. They do come in as jwt file, but 
after little manipulation individual certificates can be extracted, and the 
first one is the root certificate; I think, and the rest are trusted STI-CA. I 
guess my question is how do I use this file or any other cert file as "ca_list" 
and/or "ca_dir" .

After weeks and hundreds attempts I was unsuccessful, and I was unable to 
locate any document explaining preparation/setup/steps to setup verification.

All I get is :

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.

When I remove or replace  "ca_list" file with something bogus opensips does not 
even start  with errors:

ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken

I would really appreciate some guidance on this one.

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] stir shaken verification

2023-01-04 Thread Marcin Groszek 

Opensips version 3.1.5

I am having some issues with stir_shaken setup. I am sure this not an 
issue with the module, but me.


|stir_shaken_auth works just fine and I am able to sign the calls, 
however I was unable to find any document how to use a ca file available 
for download at iconectiv/download-list as well as via API. They do come 
in as jwt file, but after little manipulation individual certificates 
can be extracted, and the first one is the root certificate; I think, 
and the rest are trusted STI-CA. ||I guess my question is how do I use 
this file or any other cert file as |"ca_list" and/or "ca_dir" .


After weeks and hundreds attempts I was unsuccessful, and I was unable 
to locate any document explaining preparation/setup/steps to setup 
verification.


All I get is :

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.

When I remove or replace  "ca_list" file with something bogus opensips 
does not even start  with errors:


ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken

I would really appreciate some guidance on this one.


||

||

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Stir Shaken Verification issue

2022-05-02 Thread Vlad Patrascu 

Hi Devang,

The URL in the info param has nothing to do with the verification itself.

I suspect you are somehow not using the proper certificate and/or CA, as 
the certificate generated by the script you mentioned should not be self 
signed, as the error indicates.


Regards,

--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 25.04.2022 15:47, Devang Dhandhalya via Users wrote:

Hello All
I am testing STIR/SHAKEN calls using two servers.
calls originating to the first server adding identity header and when 
sending calls to the second server for verification service at the 
time of verification service i am getting below error .
error :437 , Unsupported Credential , Verification Fails with Return 
code :-8 INFO:stir_shaken:verify_callback: certificate validation 
failed: self signed certificate INFO:stir_shaken:w_stir_verify: 
Invalid certificate
OpenSIPS Version : 3.2.2 I generate certificate using domain which 
mapped with those 2 server : 
https://github.com/OpenSIPIt/OpenSIPIt_00/blob/master/STIR_SHAKEN/Certgen/gencert.sh 

When the same server generates an identity header and verifies it at 
that time not getting an issue call is working fine but when the 
identity header generated by server 1 and going to verify it by server 
2 we get this above error.
Is it related to the URL which is in the info param ? When I open that 
URL in the browser I am able to see the certificate.

Please suggest a solution for this issue.
Regards
Devang Dhandhalya

*Disclaimer*
In addition to generic Disclaimer which you have agreed on our 
website, any views or opinions presented in this email are solely 
those of the originator and do not necessarily represent those of the 
Company or its sister concerns. Any liability (in negligence, contract 
or otherwise) arising from any third party taking any action, or 
refraining from taking any action on the basis of any of the 
information contained in this email is hereby excluded.


*Confidentiality*
This communication (including any attachment/s) is intended only for 
the use of the addressee(s) and contains information that is 
PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, dissemination, 
distribution, or copying of this communication is prohibited. Please 
inform originator if you have received it in error.


*Caution for viruses, malware etc.*
This communication, including any attachments, may not be free of 
viruses, trojans, similar or new contaminants/malware, interceptions 
or interference, and may not be compatible with your systems. You 
shall carry out virus/malware scanning on your own before opening any 
attachment to this e-mail. The sender of this e-mail and Company 
including its sister concerns shall not be liable for any damage that 
may incur to you as a result of viruses, incompleteness of this 
message, a delay in receipt of this message or any other computer 
problems.


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Stir Shaken Verification issue

2022-04-25 Thread Devang Dhandhalya via Users 
Hello All

I am testing STIR/SHAKEN calls using two servers.
calls originating to the first server adding identity header and when
sending calls to the second server for verification service at the time of
verification service i am getting below error .

error :437 , Unsupported Credential , Verification Fails with Return code
:-8 INFO:stir_shaken:verify_callback: certificate validation failed: self
signed certificate INFO:stir_shaken:w_stir_verify: Invalid certificate
OpenSIPS Version : 3.2.2 I generate certificate using domain which mapped
with those 2 server :
https://github.com/OpenSIPIt/OpenSIPIt_00/blob/master/STIR_SHAKEN/Certgen/gencert.sh
When the same server generates an identity header and verifies it at that
time not getting an issue call is working fine but when the identity header
generated by server 1 and going to verify it by server 2 we get this above
error.
Is it related to the URL which is in the info param ? When I open that URL
in the browser I am able to see the certificate.

Please suggest a solution for this issue.

Regards
Devang Dhandhalya

-- 
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our 
website, any views or opinions presented in this email are solely those of 
the originator and do not necessarily represent those of the Company or its 
sister concerns. Any liability (in negligence, contract or otherwise) 
arising from any third party taking any action, or refraining from taking 
any action on the basis of any of the information contained in this email 
is hereby excluded.



*Confidentiality*
This communication (including any 
attachment/s) is intended only for the use of the addressee(s) and contains 
information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, 
dissemination, distribution, or copying of this communication is 
prohibited. Please inform originator if you have received it in error.


*Caution for viruses, malware etc.*
This communication, including any 
attachments, may not be free of viruses, trojans, similar or new 
contaminants/malware, interceptions or interference, and may not be 
compatible with your systems. You shall carry out virus/malware scanning on 
your own before opening any attachment to this e-mail. The sender of this 
e-mail and Company including its sister concerns shall not be liable for 
any damage that may incur to you as a result of viruses, incompleteness of 
this message, a delay in receipt of this message or any other computer 
problems. 
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users