<div dir="ltr">Yep, It's working with 1.16.4<div>So the problem was with the pem ownership.</div><div>It's a pity secsipid.so doesn't return an access denied error.</div><div><br></div><div>CLI doesn return an error:</div><div><br></div><div>error: Unable to read private key file: open /etc/kamailio/ec256-private.pem: permission denied</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Regards,</div><div><br></div>David Villasmil<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div><div>phone: +34669448337</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 31, 2021 at 4:26 PM David Villasmil <<a href="mailto:david.villasmil.work@gmail.com">david.villasmil.work@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Daniel,<div><br></div><div>Ok, i downloaded and installed 1.11.6 just like yours and recompiled, etc.</div><div>I also changed the owner of the pem file, which was owned by root, and not by the user kamailio.</div><div><br></div><div>Now it's working.</div><div><br></div><div>d9655} <script>: [STIR/SHAKEN][157428d2-3cc7-123a-eaad-122eaa5d9655] secsipid_add_identity('493044448888', '493055559999', 'A', '', '<a href="http://asipto.lab/stir/cert.pem" target="_blank">http://asipto.lab/stir/cert.pem</a>', '/etc/kamailio/ec256-private.pem')<br>May 31 15:24:08 ip-10-231-32-237 /usr/local/kamailio5/sbin/kamailio[1920]: DEBUG: {1 36683532 INVITE 157428d2-3cc7-123a-eaad-122eaa5d9655} secsipid [secsipid_mod.c:333]: ki_secsipid_add_identity(): appending identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ3NDY0OCwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiI0YWU3NGE3My01N2Q3LTQzZWMtYjMyOS00NDdiMDg4OWVkYmMifQ.AyxAeNFuthcpJld8osJBj9QVxBnwK91zeo0tEusXrMNNrG2aW8N9Az255qf3UlOIDtm1MmQI_y3-Gz6u57OCQA;info=<<a href="http://asipto.lab/stir/cert.pem" target="_blank">http://asipto.lab/stir/cert.pem</a>>;alg=ES256;ppt=shaken<br></div><div><br></div><div>But now i¡m left wondering whether it was the ownership of the file or the version.</div><div><br></div><div>So i will install again the latest and see what happens.</div><div><br></div><div><br clear="all"><div><div dir="ltr"><div dir="ltr"><div>Regards,</div><div><br></div>David Villasmil<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div><div>phone: +34669448337</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 31, 2021 at 2:19 PM David Villasmil <<a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello Daniel,<div><br></div><div>Thanks for looking into this:</div><div><br></div><div># go version<br>go version go1.16.4 linux/amd64</div><div><br># openssl version<br>OpenSSL 1.1.1d 10 Sep 2019<br>root@sip-stir1:/home/admin#<br></div><div>i can try getting the same go version and see what happens.</div><div><br clear="all"><div><div dir="ltr"><div dir="ltr"><div>Regards,</div><div><br></div>David Villasmil<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div><div>phone: +34669448337</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 31, 2021 at 2:15 PM Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello,</p>
<p>what are your operating system, golang and openssl versions?</p>
<p>I tried on Debian stable and I get the Identity header, see next:<br>
</p>
<p>OPTIONS <a>sip:alice@127.0.0.1</a> SIP/2.0<br>
Via: SIP/2.0/UDP
127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0<br>
Via: SIP/2.0/UDP
127.0.1.1:52897;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias<br>
From: <a>sip:sipsak@127.0.1.1:52897;tag=219ec22d</a><br>
To: <a>sip:alice@127.0.0.1</a><br>
Call-ID: <a href="mailto:564052525@127.0.1.1" target="_blank">564052525@127.0.1.1</a><br>
CSeq: 1 OPTIONS<br>
Contact: <a>sip:sipsak@127.0.1.1:52897</a><br>
Content-Length: 0<br>
Max-Forwards: 69<br>
User-Agent: sipsak 0.9.7pre<br>
Accept: text/plain<br>
Identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info=<a href="https://asipto.lab/stir/cert.pem" target="_blank"><https://asipto.lab/stir/cert.pem></a>;alg=ES256;ppt=shaken<br>
</p>
<p>The OPTIONS was generated with: sipsak -s <a>sip:alice@127.0.0.1</a><br>
</p>
<p>In kamaili.cfg I have:</p>
<p> if(is_method("OPTIONS|INVITE")) {<br>
secsipid_add_identity("493044448888", "493055559999",
"A", "",<br>
<a href="https://asipto.lab/stir/cert.pem" target="_blank">"https://asipto.lab/stir/cert.pem"</a>,<br>
"/tmp/ec256-private.pem");<br>
</p>
<p>Versions:<br>
</p>
<p>$ go version<br>
go version go1.11.6 linux/amd64</p>
<p>$ openssl version<br>
OpenSSL 1.1.1d 10 Sep 2019</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>On 28.05.21 13:05, Daniel-Constantin
Mierla wrote:<br>
</div>
<blockquote type="cite">
<p>I will try to reproduce when I get the first chance these days,
maybe I broke something while I worked to propagate different
return codes for error cases.</p>
<p>One more question for now: are you using the latest
libsecsipid, build from the master/main branch of the secsipidx
project?</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>On 28.05.21 10:27, David Villasmil
wrote:<br>
</div>
<blockquote type="cite">
<div>Correct.</div>
<div dir="auto">That’s a log with debug 3, absolutely nothing is
coming out. :(</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 27 May 2021 at
20:54, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Same logs like with before with previous certificate?
Can you attach log messages with debug=3?<br>
</p>
<p>Cheers,<br>
Daniel<br>
</p>
</div>
<div>
<div>On 27.05.21 20:13, David Villasmil wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Yep i just tried that :)
<div><br>
</div>
<div>I don't get an error on the CLI:</div>
<div><br>
</div>
<div><font face="monospace"># secsipidx -sign-full
-orig-tn 493044448888 -dest-tn 493055559999
-attest A -x5u <a href="http://asipto.lab/stir/cert.pem" target="_blank">http://asipto.lab/stir/cert.pem</a>
-k ec256-private.pem<br>
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=<<a href="http://asipto.lab/stir/cert.pem" target="_blank">http://asipto.lab/stir/cert.pem</a>>;alg=ES256;ppt=shaken</font><br>
</div>
<div><br>
</div>
<div>But still failing in kamailio...</div>
<div><br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, May 27,
2021 at 7:09 PM Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello,</p>
<div>On 27.05.21 19:58, David Villasmil wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello guys,<br>
</div>
<div><br>
</div>
<div>I want to test secsipid, but i don't
yet have the certificate. So i thought i'd
create a cert like:</div>
<div><br>
</div>
<div>openssl req -new -newkey rsa:4096
-nodes -keyout snakeoil.key -out
snakeoil.csr<br>
openssl x509 -req -sha256 -days 365 -in
snakeoil.csr -signkey snakeoil.key -out
snakeoil.pem<br>
</div>
<div><br>
</div>
<div>Then i'm simply doing:</div>
<div><br>
</div>
<div><font face="monospace">$var(rc) =
secsipid_add_identity("$fU", "$rU", "A",
"", "<a href="https://kamailio.org/stir/$rd/cert.pem" target="_blank">https://somedomain.com/stir/$rd/cert.pem</a>",
"/etc/kamailio/snakeoil.pem");<br>
if ( $var(rc) ) {<br>
xlog("L_ERR", "[STIR/SHAKEN][$ci]
Shaken authentication added (SIP
Identity Header created)\n");<br>
} else {<br>
xlog("L_ERR", "[STIR/SHAKEN][$ci]
Failed\n");<br>
}</font><br>
</div>
<div><br>
</div>
<div>But no matter what i do it silently
fails:</div>
<div><br>
</div>
<div><font face="monospace">INVITE
d54c2919-39b6-123a-95a7-0e29a5289b8d}
<script>:
[STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d]
Failed</font><br>
</div>
<div><br>
</div>
<div>I have debug on 6, but i don't get more
info regarding the error.</div>
<div><br>
</div>
<div>Any ideas?</div>
</div>
</blockquote>
<p>based on the specs, it should not be the
usual ssl/tls certificate, try to generate
them using the guidelines at:</p>
<p> * <a href="https://github.com/asipto/secsipidx#keys-generation" target="_blank">https://github.com/asipto/secsipidx#keys-generation</a></p>
<p>Cheers,<br>
Daniel<br>
</p>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</div>
</blockquote>
</div>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</div>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</div>
</blockquote></div>
</blockquote></div>
</blockquote></div>