Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key") modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt") modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt") modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] { if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", " http://myIPaddress.com/stir_shaken_cert.crt http://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) { xlog("L_ERR", "Failed to sign call with ID: $ci - From: $fU\n"); send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci - From: $fU\n"); } }
# Relay the call after signing route(RELAY); }
What is the error you're getting?
Regards, Kaufman
From: Blake Ivey via sr-users sr-users@lists.kamailio.org Sent: Thursday, June 20, 2024 3:14 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Blake Ivey uga5324@gmail.com Subject: [SR-Users] SecSIPID Assistance
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key") modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt") modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt") modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] { if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crthttp://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) { xlog("L_ERR", "Failed to sign call with ID: $ci - From: $fU\n"); send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci - From: $fU\n"); } }
# Relay the call after signing route(RELAY); }
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <private_key> of type <1:string> not found in module <secsipid> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman bkaufman@bcmone.com wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users sr-users@lists.kamailio.org *Sent:* Thursday, June 20, 2024 3:14 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc:* Blake Ivey uga5324@gmail.com *Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crt http://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:$fU\n");
send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci - From:$fU\n");
} } # Relay the call after signing route(RELAY);}
Except for `expire` and `timeout`, those parameters don't exist for secsip id- at least according to the module documentation: https://kamailio.org/docs/modules/stable/modules/secsipid
Regards, Kaufman
From: Blake Ivey uga5324@gmail.com Sent: Thursday, June 20, 2024 3:39 PM To: Ben Kaufman bkaufman@bcmone.com Cc: sr-users@lists.kamailio.org Subject: Re: [SR-Users] SecSIPID Assistance
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <private_key> of type <1:string> not found in module <secsipid> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman@bcmone.commailto:bkaufman@bcmone.com> wrote: What is the error you're getting?
Regards, Kaufman
From: Blake Ivey via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Sent: Thursday, June 20, 2024 3:14 PM To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> Cc: Blake Ivey <uga5324@gmail.commailto:uga5324@gmail.com> Subject: [SR-Users] SecSIPID Assistance
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key") modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt") modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt") modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] { if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crthttp://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) { xlog("L_ERR", "Failed to sign call with ID: $ci - From: $fU\n"); send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci - From: $fU\n"); } }
# Relay the call after signing route(RELAY); }
Hmm you are correct. I took it out and it started fine. So what exactly would I need for our outbound stirshaken?
Just secsipid_add_identity?
I guess I've been looking at this for too long today. Just lines and lines after a while.
On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman bkaufman@bcmone.com wrote:
Except for `expire` and `timeout`, those parameters don’t exist for secsip id- at least according to the module documentation: https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
*From:* Blake Ivey uga5324@gmail.com *Sent:* Thursday, June 20, 2024 3:39 PM *To:* Ben Kaufman bkaufman@bcmone.com *Cc:* sr-users@lists.kamailio.org *Subject:* Re: [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <private_key> of type <1:string> not found in module <secsipid> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman bkaufman@bcmone.com wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users sr-users@lists.kamailio.org *Sent:* Thursday, June 20, 2024 3:14 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc:* Blake Ivey uga5324@gmail.com *Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crt http://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:$fU\n");
send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci - From:$fU\n");
} } # Relay the call after signing route(RELAY);}
this is what i do (i have a redirect server receive the INVITEs to be signed, I add the header and then do 302, the initiating server then add it to the INVITE and sends the invite out:
if ($rm=="INVITE") { $var(rc) = secsipid_add_identity("$(var(from){s.numeric})", "$(var(to){s.numeric})", "A", "", " https://pki.domain.com/stir-shaken-cert.pem", "/etc/kamailio/ec256-private.pem");
if ( $var(rc) > 0 ) { msg_apply_changes(); } else { update_stat("stirshaken_create_identity_failed","+1"); send_reply("503", "Service Unavailable - can not create Identity header"); exit; }
append_to_reply("Identity: $hdr(Identity)\r\n"); } sl_send_reply("302", "Redirect"); exit;
hope that helps
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users < sr-users@lists.kamailio.org> wrote:
Hmm you are correct. I took it out and it started fine. So what exactly would I need for our outbound stirshaken?
Just secsipid_add_identity?
I guess I've been looking at this for too long today. Just lines and lines after a while.
On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman bkaufman@bcmone.com wrote:
Except for `expire` and `timeout`, those parameters don’t exist for secsip id- at least according to the module documentation: https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
*From:* Blake Ivey uga5324@gmail.com *Sent:* Thursday, June 20, 2024 3:39 PM *To:* Ben Kaufman bkaufman@bcmone.com *Cc:* sr-users@lists.kamailio.org *Subject:* Re: [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <private_key> of type <1:string> not found in module <secsipid> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman bkaufman@bcmone.com wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users sr-users@lists.kamailio.org *Sent:* Thursday, June 20, 2024 3:14 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc:* Blake Ivey uga5324@gmail.com *Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crt http://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:$fU\n");
send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci - From:$fU\n");
} } # Relay the call after signing route(RELAY);}
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Thanks for the replies. I think I am understanding it better now. My issue now is I am getting this error:
ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid [secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get identity header body (-451)
-451 = SJWTRetErrFileRead which I assume is either the certificate or the private key. I am able to download the certificate using the URL so I guess the key? I have permissions on the key as 600 (-rw-------) and the user:group for it is kamailio.
It's still a self signed but I generated it with the TNAuthList, etc like a production certificate. I have stir/shaken working on s production machine but it uses libstirshaken and not secsipid.
Output of cert:
Certificate: Data: Version: 3 (0x2) Serial Number: 35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN = sip-test.mydomain.net Validity Not Before: Jun 21 00:03:27 2024 GMT Not After : Sep 24 00:03:27 2026 GMT Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.", OU = VOIP, CN = SHAKEN Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39: 33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95: 62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8: a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5: 01:0c:fb:48:b0 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: 1.3.6.1.5.5.7.1.26: 0.....1001 X509v3 Subject Key Identifier: 9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB X509v3 Authority Key Identifier: 84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b: d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb: 69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d: c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb
On Thu, Jun 20, 2024 at 5:33 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
this is what i do (i have a redirect server receive the INVITEs to be signed, I add the header and then do 302, the initiating server then add it to the INVITE and sends the invite out:
if ($rm=="INVITE") { $var(rc) = secsipid_add_identity("$(var(from){s.numeric})", "$(var(to){s.numeric})", "A", "", " https://pki.domain.com/stir-shaken-cert.pem", "/etc/kamailio/ec256-private.pem");
if ( $var(rc) > 0 ) { msg_apply_changes(); } else { update_stat("stirshaken_create_identity_failed","+1"); send_reply("503", "Service Unavailable - can not create Identity header"); exit; }
append_to_reply("Identity: $hdr(Identity)\r\n"); } sl_send_reply("302", "Redirect"); exit;
hope that helps
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users < sr-users@lists.kamailio.org> wrote:
Hmm you are correct. I took it out and it started fine. So what exactly would I need for our outbound stirshaken?
Just secsipid_add_identity?
I guess I've been looking at this for too long today. Just lines and lines after a while.
On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman bkaufman@bcmone.com wrote:
Except for `expire` and `timeout`, those parameters don’t exist for secsip id- at least according to the module documentation: https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
*From:* Blake Ivey uga5324@gmail.com *Sent:* Thursday, June 20, 2024 3:39 PM *To:* Ben Kaufman bkaufman@bcmone.com *Cc:* sr-users@lists.kamailio.org *Subject:* Re: [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <private_key> of type <1:string> not found in module <secsipid> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman bkaufman@bcmone.com wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users sr-users@lists.kamailio.org *Sent:* Thursday, June 20, 2024 3:14 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc:* Blake Ivey uga5324@gmail.com *Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crt http://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:$fU\n");
send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci -From: $fU\n");
} } # Relay the call after signing route(RELAY);}
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Disregard. It was my mistake. I had sp_key.pem in my kamailio config when it was actually sp-key.pem. Doh. Took me way too long to see my mistake but it is working now and adding the identity. Thanks for the help everyone!
On Thu, Jun 20, 2024 at 8:43 PM Blake Ivey uga5324@gmail.com wrote:
Thanks for the replies. I think I am understanding it better now. My issue now is I am getting this error:
ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid [secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get identity header body (-451)
-451 = SJWTRetErrFileRead which I assume is either the certificate or the private key. I am able to download the certificate using the URL so I guess the key? I have permissions on the key as 600 (-rw-------) and the user:group for it is kamailio.
It's still a self signed but I generated it with the TNAuthList, etc like a production certificate. I have stir/shaken working on s production machine but it uses libstirshaken and not secsipid.
Output of cert:
Certificate: Data: Version: 3 (0x2) Serial Number: 35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN = sip-test.mydomain.net Validity Not Before: Jun 21 00:03:27 2024 GMT Not After : Sep 24 00:03:27 2026 GMT Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.", OU = VOIP, CN = SHAKEN Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39: 33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95: 62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8: a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5: 01:0c:fb:48:b0 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: 1.3.6.1.5.5.7.1.26: 0.....1001 X509v3 Subject Key Identifier: 9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB X509v3 Authority Key Identifier: 84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b: d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb: 69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d: c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb
On Thu, Jun 20, 2024 at 5:33 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
this is what i do (i have a redirect server receive the INVITEs to be signed, I add the header and then do 302, the initiating server then add it to the INVITE and sends the invite out:
if ($rm=="INVITE") { $var(rc) = secsipid_add_identity("$(var(from){s.numeric})", "$(var(to){s.numeric})", "A", "", " https://pki.domain.com/stir-shaken-cert.pem", "/etc/kamailio/ec256-private.pem");
if ( $var(rc) > 0 ) { msg_apply_changes(); } else { update_stat("stirshaken_create_identity_failed","+1"); send_reply("503", "Service Unavailable - can not create Identity header"); exit; }
append_to_reply("Identity: $hdr(Identity)\r\n"); } sl_send_reply("302", "Redirect"); exit;
hope that helps
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users < sr-users@lists.kamailio.org> wrote:
Hmm you are correct. I took it out and it started fine. So what exactly would I need for our outbound stirshaken?
Just secsipid_add_identity?
I guess I've been looking at this for too long today. Just lines and lines after a while.
On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman bkaufman@bcmone.com wrote:
Except for `expire` and `timeout`, those parameters don’t exist for secsip id- at least according to the module documentation: https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
*From:* Blake Ivey uga5324@gmail.com *Sent:* Thursday, June 20, 2024 3:39 PM *To:* Ben Kaufman bkaufman@bcmone.com *Cc:* sr-users@lists.kamailio.org *Subject:* Re: [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <private_key> of type <1:string> not found in module <secsipid> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman bkaufman@bcmone.com wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users sr-users@lists.kamailio.org *Sent:* Thursday, June 20, 2024 3:14 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc:* Blake Ivey uga5324@gmail.com *Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crt http://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:$fU\n");
send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci -From: $fU\n");
} } # Relay the call after signing route(RELAY);}
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Sorry to bring this back up, but I am struggling again and not sure what to do.
I am trying to use my actual private key and cert from Peering Hub and I keep getting:
SJWTRetErrPrvKeyInvalid = -151
I have done the following:
openssl ec -in private.pem -check read EC key EC Key valid. writing EC key
openssl x509 -text -noout -in public.crt and it shows the cert information and it is valid.
I have kamailio:kamailio as the key/cert owners with chmod 640 permissions
Does it matter that my cert is using .crt and not .pem?
Any suggestions on what to do from here? This is working with libstirshaken but I am trying to migrate to secsipid.
Thanks for any assistance!
On Thu, Jun 20, 2024 at 9:33 PM Blake Ivey uga5324@gmail.com wrote:
Disregard. It was my mistake. I had sp_key.pem in my kamailio config when it was actually sp-key.pem. Doh. Took me way too long to see my mistake but it is working now and adding the identity. Thanks for the help everyone!
On Thu, Jun 20, 2024 at 8:43 PM Blake Ivey uga5324@gmail.com wrote:
Thanks for the replies. I think I am understanding it better now. My issue now is I am getting this error:
ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid [secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get identity header body (-451)
-451 = SJWTRetErrFileRead which I assume is either the certificate or the private key. I am able to download the certificate using the URL so I guess the key? I have permissions on the key as 600 (-rw-------) and the user:group for it is kamailio.
It's still a self signed but I generated it with the TNAuthList, etc like a production certificate. I have stir/shaken working on s production machine but it uses libstirshaken and not secsipid.
Output of cert:
Certificate: Data: Version: 3 (0x2) Serial Number: 35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN = sip-test.mydomain.net Validity Not Before: Jun 21 00:03:27 2024 GMT Not After : Sep 24 00:03:27 2026 GMT Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.", OU = VOIP, CN = SHAKEN Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39: 33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95: 62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8: a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5: 01:0c:fb:48:b0 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: 1.3.6.1.5.5.7.1.26: 0.....1001 X509v3 Subject Key Identifier:
9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB X509v3 Authority Key Identifier:
84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b: d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb: 69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d: c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb
On Thu, Jun 20, 2024 at 5:33 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
this is what i do (i have a redirect server receive the INVITEs to be signed, I add the header and then do 302, the initiating server then add it to the INVITE and sends the invite out:
if ($rm=="INVITE") { $var(rc) = secsipid_add_identity("$(var(from){s.numeric})", "$(var(to){s.numeric})", "A", "", " https://pki.domain.com/stir-shaken-cert.pem", "/etc/kamailio/ec256-private.pem");
if ( $var(rc) > 0 ) { msg_apply_changes(); } else { update_stat("stirshaken_create_identity_failed","+1"); send_reply("503", "Service Unavailable - can not create Identity header"); exit; }
append_to_reply("Identity: $hdr(Identity)\r\n"); } sl_send_reply("302", "Redirect"); exit;
hope that helps
Regards,
David Villasmil email: david.villasmil.work@gmail.com
On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users < sr-users@lists.kamailio.org> wrote:
Hmm you are correct. I took it out and it started fine. So what exactly would I need for our outbound stirshaken?
Just secsipid_add_identity?
I guess I've been looking at this for too long today. Just lines and lines after a while.
On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman bkaufman@bcmone.com wrote:
Except for `expire` and `timeout`, those parameters don’t exist for secsip id- at least according to the module documentation: https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
*From:* Blake Ivey uga5324@gmail.com *Sent:* Thursday, June 20, 2024 3:39 PM *To:* Ben Kaufman bkaufman@bcmone.com *Cc:* sr-users@lists.kamailio.org *Subject:* Re: [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <private_key> of type <1:string> not found in module <secsipid> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman bkaufman@bcmone.com wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users sr-users@lists.kamailio.org *Sent:* Thursday, June 20, 2024 3:14 PM *To:* Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org
*Cc:* Blake Ivey uga5324@gmail.com *Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not click links or open attachments* unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) { if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crt http://myipaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:$fU\n");
send_reply("500", "Internal Server Error"); exit; } else { xlog("L_INFO", "Successfully signed call with ID: $ci -From: $fU\n");
} } # Relay the call after signing route(RELAY);}
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-
Ben Kaufman -
Blake Ivey -
David Villasmil