<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>The lib and module are rather fresh, they improve base on
feedback.</p>
<p>The latest version of the lib should return different codes in
case of failures, being propagated by the functions in the
kamailio config. The codes can be found at:</p>
<p> *
<a class="moz-txt-link-freetext" href="https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L32">https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L32</a></p>
<p>If you have time, try it and report if works as expected.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 31.05.21 17:35, David Villasmil
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFGRPVq871yfndHaQn6Ejq7P0T0VkYokg+nHvwjoji9LJPvcaQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Yep, It's working with 1.16.4
<div>So the problem was with the pem ownership.</div>
<div>It's a pity secsipid.so doesn't return an access denied
error.</div>
<div><br>
</div>
<div>CLI doesn return an error:</div>
<div><br>
</div>
<div>error: Unable to read private key file: open
/etc/kamailio/ec256-private.pem: permission denied</div>
<div><br clear="all">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a
href="mailto:david.villasmil.work@gmail.com"
target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, May 31, 2021 at 4:26
PM David Villasmil <<a
href="mailto:david.villasmil.work@gmail.com"
moz-do-not-send="true">david.villasmil.work@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Daniel,
<div><br>
</div>
<div>Ok, i downloaded and installed 1.11.6 just like yours
and recompiled, etc.</div>
<div>I also changed the owner of the pem file, which was
owned by root, and not by the user kamailio.</div>
<div><br>
</div>
<div>Now it's working.</div>
<div><br>
</div>
<div>d9655} <script>:
[STIR/SHAKEN][157428d2-3cc7-123a-eaad-122eaa5d9655]
secsipid_add_identity('493044448888', '493055559999', 'A',
'', '<a href="http://asipto.lab/stir/cert.pem"
target="_blank" moz-do-not-send="true">http://asipto.lab/stir/cert.pem</a>',
'/etc/kamailio/ec256-private.pem')<br>
May 31 15:24:08 ip-10-231-32-237
/usr/local/kamailio5/sbin/kamailio[1920]: DEBUG: {1
36683532 INVITE 157428d2-3cc7-123a-eaad-122eaa5d9655}
secsipid [secsipid_mod.c:333]: ki_secsipid_add_identity():
appending identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ3NDY0OCwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiI0YWU3NGE3My01N2Q3LTQzZWMtYjMyOS00NDdiMDg4OWVkYmMifQ.AyxAeNFuthcpJld8osJBj9QVxBnwK91zeo0tEusXrMNNrG2aW8N9Az255qf3UlOIDtm1MmQI_y3-Gz6u57OCQA;info=<<a
href="http://asipto.lab/stir/cert.pem" target="_blank"
moz-do-not-send="true">http://asipto.lab/stir/cert.pem</a>>;alg=ES256;ppt=shaken<br>
</div>
<div><br>
</div>
<div>But now i¡m left wondering whether it was the ownership
of the file or the version.</div>
<div><br>
</div>
<div>So i will install again the latest and see what
happens.</div>
<div><br>
</div>
<div><br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a
href="mailto:david.villasmil.work@gmail.com"
target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, May 31, 2021 at
2:19 PM David Villasmil <<a
href="mailto:david.villasmil.work@gmail.com"
target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hello Daniel,
<div><br>
</div>
<div>Thanks for looking into this:</div>
<div><br>
</div>
<div># go version<br>
go version go1.16.4 linux/amd64</div>
<div><br>
# openssl version<br>
OpenSSL 1.1.1d 10 Sep 2019<br>
root@sip-stir1:/home/admin#<br>
</div>
<div>i can try getting the same go version and see what
happens.</div>
<div><br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a
href="mailto:david.villasmil.work@gmail.com"
target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, May 31, 2021
at 2:15 PM Daniel-Constantin Mierla <<a
href="mailto:miconda@gmail.com" target="_blank"
moz-do-not-send="true">miconda@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello,</p>
<p>what are your operating system, golang and
openssl versions?</p>
<p>I tried on Debian stable and I get the Identity
header, see next:<br>
</p>
<p>OPTIONS <a moz-do-not-send="true">sip:alice@127.0.0.1</a>
SIP/2.0<br>
Via: SIP/2.0/UDP
127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0<br>
Via: SIP/2.0/UDP
127.0.1.1:52897;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias<br>
From: <a moz-do-not-send="true">sip:sipsak@127.0.1.1:52897;tag=219ec22d</a><br>
To: <a moz-do-not-send="true">sip:alice@127.0.0.1</a><br>
Call-ID: <a href="mailto:564052525@127.0.1.1"
target="_blank" moz-do-not-send="true">564052525@127.0.1.1</a><br>
CSeq: 1 OPTIONS<br>
Contact: <a moz-do-not-send="true">sip:sipsak@127.0.1.1:52897</a><br>
Content-Length: 0<br>
Max-Forwards: 69<br>
User-Agent: sipsak 0.9.7pre<br>
Accept: text/plain<br>
Identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info=<a
href="https://asipto.lab/stir/cert.pem"
target="_blank" moz-do-not-send="true"><https://asipto.lab/stir/cert.pem></a>;alg=ES256;ppt=shaken<br>
</p>
<p>The OPTIONS was generated with: sipsak -s <a
moz-do-not-send="true">sip:alice@127.0.0.1</a><br>
</p>
<p>In kamaili.cfg I have:</p>
<p> if(is_method("OPTIONS|INVITE")) {<br>
secsipid_add_identity("493044448888",
"493055559999", "A", "",<br>
<a
href="https://asipto.lab/stir/cert.pem"
target="_blank" moz-do-not-send="true">"https://asipto.lab/stir/cert.pem"</a>,<br>
"/tmp/ec256-private.pem");<br>
</p>
<p>Versions:<br>
</p>
<p>$ go version<br>
go version go1.11.6 linux/amd64</p>
<p>$ openssl version<br>
OpenSSL 1.1.1d 10 Sep 2019</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>On 28.05.21 13:05, Daniel-Constantin Mierla
wrote:<br>
</div>
<blockquote type="cite">
<p>I will try to reproduce when I get the first
chance these days, maybe I broke something while
I worked to propagate different return codes for
error cases.</p>
<p>One more question for now: are you using the
latest libsecsipid, build from the master/main
branch of the secsipidx project?</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>On 28.05.21 10:27, David Villasmil wrote:<br>
</div>
<blockquote type="cite">
<div>Correct.</div>
<div dir="auto">That’s a log with debug 3,
absolutely nothing is coming out. :(</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 27
May 2021 at 20:54, Daniel-Constantin
Mierla <<a
href="mailto:miconda@gmail.com"
target="_blank" moz-do-not-send="true">miconda@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Same logs like with before with
previous certificate? Can you attach
log messages with debug=3?<br>
</p>
<p>Cheers,<br>
Daniel<br>
</p>
</div>
<div>
<div>On 27.05.21 20:13, David Villasmil
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Yep i just tried that
:)
<div><br>
</div>
<div>I don't get an error on the
CLI:</div>
<div><br>
</div>
<div><font face="monospace">#
secsipidx -sign-full -orig-tn
493044448888 -dest-tn
493055559999 -attest A -x5u <a
href="http://asipto.lab/stir/cert.pem" target="_blank"
moz-do-not-send="true">http://asipto.lab/stir/cert.pem</a>
-k ec256-private.pem<br>
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=<<a
href="http://asipto.lab/stir/cert.pem" target="_blank"
moz-do-not-send="true">http://asipto.lab/stir/cert.pem</a>>;alg=ES256;ppt=shaken</font><br>
</div>
<div><br>
</div>
<div>But still failing in
kamailio...</div>
<div><br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a
href="mailto:david.villasmil.work@gmail.com"
target="_blank"
moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On
Thu, May 27, 2021 at 7:09 PM
Daniel-Constantin Mierla <<a
href="mailto:miconda@gmail.com"
target="_blank"
moz-do-not-send="true">miconda@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello,</p>
<div>On 27.05.21 19:58, David
Villasmil wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello guys,<br>
</div>
<div><br>
</div>
<div>I want to test
secsipid, but i don't yet
have the certificate. So i
thought i'd create a cert
like:</div>
<div><br>
</div>
<div>openssl req -new
-newkey rsa:4096 -nodes
-keyout snakeoil.key -out
snakeoil.csr<br>
openssl x509 -req -sha256
-days 365 -in snakeoil.csr
-signkey snakeoil.key -out
snakeoil.pem<br>
</div>
<div><br>
</div>
<div>Then i'm simply doing:</div>
<div><br>
</div>
<div><font face="monospace">$var(rc)
=
secsipid_add_identity("$fU",
"$rU", "A", "", "<a
href="https://kamailio.org/stir/$rd/cert.pem"
target="_blank"
moz-do-not-send="true">https://somedomain.com/stir/$rd/cert.pem</a>",
"/etc/kamailio/snakeoil.pem");<br>
if ( $var(rc) ) {<br>
xlog("L_ERR",
"[STIR/SHAKEN][$ci]
Shaken authentication
added (SIP Identity
Header created)\n");<br>
} else {<br>
xlog("L_ERR",
"[STIR/SHAKEN][$ci]
Failed\n");<br>
}</font><br>
</div>
<div><br>
</div>
<div>But no matter what i do
it silently fails:</div>
<div><br>
</div>
<div><font face="monospace">INVITE
d54c2919-39b6-123a-95a7-0e29a5289b8d} <script>:
[STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d]
Failed</font><br>
</div>
<div><br>
</div>
<div>I have debug on 6, but
i don't get more info
regarding the error.</div>
<div><br>
</div>
<div>Any ideas?</div>
</div>
</blockquote>
<p>based on the specs, it should
not be the usual ssl/tls
certificate, try to generate
them using the guidelines at:</p>
<p> * <a
href="https://github.com/asipto/secsipidx#keys-generation"
target="_blank"
moz-do-not-send="true">https://github.com/asipto/secsipidx#keys-generation</a></p>
<p>Cheers,<br>
Daniel<br>
</p>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</div>
</blockquote>
</div>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</div>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a
href="mailto:david.villasmil.work@gmail.com"
target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* <a class="moz-txt-link-freetext" href="https://www.asipto.com/sw/kamailio-advanced-training-online/">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</body>
</html>