2 Jun
2021
2 Jun
'21
8:14 a.m.
The lib and module are rather fresh, they improve base on feedback.
The latest version of the lib should return different codes in case of
failures, being propagated by the functions in the kamailio config. The
codes can be found at:
* https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L32
If you have time, try it and report if works as expected.
Cheers,
Daniel
On 31.05.21 17:35, David Villasmil wrote:
Yep, It's working with 1.16.4
So the problem was with the pem ownership.
It's a pity secsipid.so doesn't return an access denied error.
CLI doesn return an error:
error: Unable to read private key file: open
/etc/kamailio/ec256-private.pem: permission denied
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
<mailto:david.villasmil.work@gmail.com>
phone: +34669448337
On Mon, May 31, 2021 at 4:26 PM David Villasmil
<david.villasmil.work(a)gmail.com
<mailto:david.villasmil.work@gmail.com>> wrote:
Daniel,
Ok, i downloaded and installed 1.11.6 just like yours and
recompiled, etc.
I also changed the owner of the pem file, which was owned by root,
and not by the user kamailio.
Now it's working.
d9655} <script>:
[STIR/SHAKEN][157428d2-3cc7-123a-eaad-122eaa5d9655]
secsipid_add_identity('493044448888', '493055559999', 'A',
'',
'http://asipto.lab/stir/cert.pem
<http://asipto.lab/stir/cert.pem>',
'/etc/kamailio/ec256-private.pem')
May 31 15:24:08 ip-10-231-32-237
/usr/local/kamailio5/sbin/kamailio[1920]: DEBUG: {1 36683532
INVITE 157428d2-3cc7-123a-eaad-122eaa5d9655} secsipid
[secsipid_mod.c:333]: ki_secsipid_add_identity(): appending
identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ3NDY0OCwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiI0YWU3NGE3My01N2Q3LTQzZWMtYjMyOS00NDdiMDg4OWVkYmMifQ.AyxAeNFuthcpJld8osJBj9QVxBnwK91zeo0tEusXrMNNrG2aW8N9Az255qf3UlOIDtm1MmQI_y3-Gz6u57OCQA;info=<http://asipto.lab/stir/cert.pem
<http://asipto.lab/stir/cert.pem>>;alg=ES256;ppt=shaken
But now i¡m left wondering whether it was the ownership of the
file or the version.
So i will install again the latest and see what happens.
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
<mailto:david.villasmil.work@gmail.com>
phone: +34669448337
On Mon, May 31, 2021 at 2:19 PM David Villasmil
<david.villasmil.work(a)gmail.com
<mailto:david.villasmil.work@gmail.com>> wrote:
Hello Daniel,
Thanks for looking into this:
# go version
go version go1.16.4 linux/amd64
# openssl version
OpenSSL 1.1.1d 10 Sep 2019
root@sip-stir1:/home/admin#
i can try getting the same go version and see what happens.
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
<mailto:david.villasmil.work@gmail.com>
phone: +34669448337
On Mon, May 31, 2021 at 2:15 PM Daniel-Constantin Mierla
<miconda(a)gmail.com <mailto:miconda@gmail.com>> wrote:
Hello,
what are your operating system, golang and openssl versions?
I tried on Debian stable and I get the Identity header,
see next:
OPTIONS sip:alice@127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP
127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0
Via: SIP/2.0/UDP
127.0.1.1:52897;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias
From: sip:sipsak@127.0.1.1:52897;tag=219ec22d
To: sip:alice@127.0.0.1
Call-ID: 564052525(a)127.0.1.1 <mailto:564052525@127.0.1.1>
CSeq: 1 OPTIONS
Contact: sip:sipsak@127.0.1.1:52897
Content-Length: 0
Max-Forwards: 69
User-Agent: sipsak 0.9.7pre
Accept: text/plain
Identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info=<https://asipto.lab/stir/cert.pem>
<https://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken
The OPTIONS was generated with: sipsak -s sip:alice@127.0.0.1
In kamaili.cfg I have:
if(is_method("OPTIONS|INVITE")) {
secsipid_add_identity("493044448888",
"493055559999", "A", "",
"https://asipto.lab/stir/cert.pem"
<https://asipto.lab/stir/cert.pem>,
"/tmp/ec256-private.pem");
Versions:
$ go version
go version go1.11.6 linux/amd64
$ openssl version
OpenSSL 1.1.1d 10 Sep 2019
Cheers,
Daniel
On 28.05.21 13:05, Daniel-Constantin Mierla wrote:
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/
I will try to reproduce when I get the first chance these
days, maybe I broke something while I worked to propagate
different return codes for error cases.
One more question for now: are you using the latest
libsecsipid, build from the master/main branch of the
secsipidx project?
Cheers,
Daniel
On 28.05.21 10:27, David Villasmil wrote:
--
Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/
<https://www.asipto.com/sw/kamailio-advanced-training-online/>
Correct.
That’s a log with debug 3, absolutely nothing is coming
out. :(
On Thu, 27 May 2021 at 20:54, Daniel-Constantin Mierla
<miconda(a)gmail.com <mailto:miconda@gmail.com>> wrote:
Same logs like with before with previous
certificate? Can you attach log messages with debug=3?
Cheers,
Daniel
On 27.05.21 20:13, David Villasmil wrote:
--
Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/
<https://www.asipto.com/sw/kamailio-advanced-training-online/> Yep i just tried that :)
I don't get an error on the CLI:
# secsipidx -sign-full -orig-tn 493044448888
-dest-tn 493055559999 -attest A -x5u
http://asipto.lab/stir/cert.pem
<http://asipto.lab/stir/cert.pem> -k ec256-private.pem
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=<http://asipto.lab/stir/cert.pem
<http://asipto.lab/stir/cert.pem>>;alg=ES256;ppt=shaken
But still failing in kamailio...
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
<mailto:david.villasmil.work@gmail.com>
phone: +34669448337
On Thu, May 27, 2021 at 7:09 PM Daniel-Constantin
Mierla <miconda(a)gmail.com
<mailto:miconda@gmail.com>> wrote:
Hello,
On 27.05.21 19:58, David Villasmil wrote:
> Hello guys,
>
> I want to test secsipid, but i don't yet have
> the certificate. So i thought i'd create a
> cert like:
>
> openssl req -new -newkey rsa:4096 -nodes
> -keyout snakeoil.key -out snakeoil.csr
> openssl x509 -req -sha256 -days 365 -in
> snakeoil.csr -signkey snakeoil.key -out
> snakeoil.pem
>
> Then i'm simply doing:
>
> $var(rc) = secsipid_add_identity("$fU",
"$rU",
> "A", "",
> "https://somedomain.com/stir/$rd/cert.pem
> <https://kamailio.org/stir/$rd/cert.pem>",
> "/etc/kamailio/snakeoil.pem");
> if ( $var(rc) ) {
> xlog("L_ERR", "[STIR/SHAKEN][$ci] Shaken
> authentication added (SIP Identity Header
> created)\n");
> } else {
> xlog("L_ERR", "[STIR/SHAKEN][$ci]
Failed\n");
> }
>
> But no matter what i do it silently fails:
>
> INVITE d54c2919-39b6-123a-95a7-0e29a5289b8d}
> <script>:
> [STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d]
> Failed
>
> I have debug on 6, but i don't get more info
> regarding the error.
>
> Any ideas?
based on the specs, it should not be the usual
ssl/tls certificate, try to generate them using
the guidelines at:
*
https://github.com/asipto/secsipidx#keys-generation
<https://github.com/asipto/secsipidx#keys-generation>
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.com
<http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Kamailio Advanced Training - Online - June 7-10, 2021 (America
Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/
<https://www.asipto.com/sw/kamailio-advanced-training-online/>
--
Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/
<https://www.asipto.com/sw/kamailio-advanced-training-online/>
--
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
<mailto:david.villasmil.work@gmail.com>
phone: +34669448337