Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Răzvan Crainea Tue, 01 Aug 2023 06:36:44 -0700

Hi, Alain!

You are actually right, it looks like the crl_list and ca_dir cannot bedynamic :(. Could you please open a feature request for this, so we cankeep them right, perhaps change them to a tls_mgm domain?


Best regards,

Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com / https://www.siphub.com

On 7/28/23 16:45, Alain Bieuzent wrote:

sorry I wrote nonsense (again...)
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (only for crl_list).
In stir_shaken module documentation , there is no explanation how to put 
crl_list in db.

Regards


Le 28/07/2023 15:39, « Users au nom de Alain Bieuzent » <[email protected] 
<mailto:[email protected]> au nom de [email protected] 
<mailto:[email protected]>> a écrit :


Hi Razvan,


I work on the same project as Mickael and we don't understand how the tls_mgm 
can help us in this case.
In the French implementation of STIR/SHAKEN we must download certificate 
updates every day (ca_list and crl_list).
How can these updates be considered in real time?


Regards


Le 27/07/2023 12:38, « Users au nom de Răzvan Crainea » <[email protected] 
<mailto:[email protected]> <mailto:[email protected] 
<mailto:[email protected]>> au nom de [email protected] <mailto:[email protected]> 
<mailto:[email protected] <mailto:[email protected]>>> a écrit :




Hi, Mickael!




The only way is to store certificates in database and reload the tls_mgm
module (using tls_reload).




Best regards,




Răzvan Crainea
OpenSIPS Core Developer / SIPhub CTO
http://www.opensips-solutions.com <http://www.opensips-solutions.com> <http://www.opensips-solutions.com> 
<http://www.opensips-solutions.com&gt;> / https://www.siphub.com <https://www.siphub.com> 
<https://www.siphub.com> <https://www.siphub.com&gt;>




On 7/26/23 16:38, Mickael Hubert wrote:

Hi Razvan,
another question about crl_list, when crl list changed, what is the best
way to reload this list in OpenSIPS memory ? restart it ? or another way ?
I know the crl_list can change each day, so if I have to restart
opensips each day, it's not very practical.

thanks in advance

Le mar. 25 juil. 2023 à 14:47, Mickael Hubert <[email protected] <mailto:[email protected]> 
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] 
<mailto:[email protected]>>>> a écrit :

Hi Razvan,
Thanks a lot.
I loaded the CRL for CA and certs and opensips start correctly ;)

Have a good day !

Le lun. 24 juil. 2023 à 16:07, Răzvan Crainea <[email protected] 
<mailto:[email protected]> <mailto:[email protected] 
<mailto:[email protected]>>
<mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] 
<mailto:[email protected]>>>> a écrit :

Hi, Mickael!

I don't have much experience with this, but a first search would
point
to this [1] answer, which seems reasonable to me: you need to
provide
the CRL of the entire path, not only of your intermediate cert.
Did you
try that?

[1] https://stackoverflow.com/a/47398918 <https://stackoverflow.com/a/47398918> 
<https://stackoverflow.com/a/47398918> <https://stackoverflow.com/a/47398918&gt;>
<https://stackoverflow.com/a/47398918> <https://stackoverflow.com/a/47398918&gt;> 
<https://stackoverflow.com/a/47398918&gt;> <https://stackoverflow.com/a/47398918&amp;gt;&gt;>

Best regards,

Răzvan Crainea
OpenSIPS Core Developer
http://www.opensips-solutions.com <http://www.opensips-solutions.com> 
<http://www.opensips-solutions.com> <http://www.opensips-solutions.com&gt;>
<http://www.opensips-solutions.com> <http://www.opensips-solutions.com&gt;> 
<http://www.opensips-solutions.com&gt;> <http://www.opensips-solutions.com&amp;gt;&gt;>

On 7/19/23 15:47, Mickael Hubert wrote:

Hi all,
I'm working on stir and shaken, and I want to include all

revoked

certificates.
I my list in DER format, I use this command to transform it

to PEM format:

openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem

there is no erreur, I can read pem format (crl.pem):
-----BEGIN X509 CRL-----
....
-----END X509 CRL-----

I configured opensips with this:
modparam("stir_shaken", "crl_list",

"/etc/opensips/stir-shaken-ca/crl.pem")


but I have an error:
ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback:

certificate

validation failed: unable to get certificate CRL
Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid

certificate


Can you tell me, what is exactly the correct format please ?

Thanks in advance !
++

_______________________________________________
Users mailing list
[email protected] <mailto:[email protected]> <mailto:[email protected] 
<mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> 
<mailto:[email protected] <mailto:[email protected]>>>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>

<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt;>

_______________________________________________
Users mailing list
[email protected] <mailto:[email protected]> <mailto:[email protected] 
<mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> 
<mailto:[email protected] <mailto:[email protected]>>>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&amp;gt;&gt;>


_______________________________________________
Users mailing list
[email protected] <mailto:[email protected]> 
<mailto:[email protected] <mailto:[email protected]>>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>





_______________________________________________
Users mailing list
[email protected] <mailto:[email protected]> 
<mailto:[email protected] <mailto:[email protected]>>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users> 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users&gt;>










_______________________________________________
Users mailing list
[email protected] <mailto:[email protected]>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>





_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Issue with stir and shaken crl_list

Reply via email to