20 Jun
2024
20 Jun
'24
4:14 p.m.
Hi everyone. Wanting to see if someone could point me in the right
direction. Still very knew to Kamailio but I am beginning to understand it
better. I'm making an outbound proxy and have everything working well
besides stir/shaken. I'm looking at the module page and have went back and
forth with chatGPT and can't seem to figure this part out. I keep getting
errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to
reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key",
"/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid",
"timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) {
if (!secsipid_add_identity("$fU", "$rU", "A",
"", "
http://myIPaddress.com/stir_shaken_cert.crt
<http://myipaddress.com/stir_shaken_cert.crt>",
"/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:
$fU\n");
send_reply("500", "Internal Server Error");
exit;
} else {
xlog("L_INFO", "Successfully signed call with ID: $ci - From:
$fU\n");
}
}
# Relay the call after signing
route(RELAY);
}
20 Jun
20 Jun
4:31 p.m.
What is the error you're getting?
Regards,
Kaufman
From: Blake Ivey via sr-users <sr-users(a)lists.kamailio.org>
Sent: Thursday, June 20, 2024 3:14 PM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Cc: Blake Ivey <uga5324(a)gmail.com>
Subject: [SR-Users] SecSIPID Assistance
CAUTION: This email originated from outside the organization. Do not click links or open
attachments unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very
knew to Kamailio but I am beginning to understand it better. I'm making an outbound
proxy and have everything working well besides stir/shaken. I'm looking at the module
page and have went back and forth with chatGPT and can't seem to figure this part out.
I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and
download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key",
"/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid",
"timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) {
if (!secsipid_add_identity("$fU", "$rU", "A",
"",
"http://myIPaddress.com/stir_shaken_cert.crt<http://myipaddress.com/stir_shaken_cert.crt>",
"/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:
$fU\n");
send_reply("500", "Internal Server Error");
exit;
} else {
xlog("L_INFO", "Successfully signed call with ID: $ci - From:
$fU\n");
}
}
# Relay the call after signing
route(RELAY);
}
4:38 p.m.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter
<private_key> of type <1:string> not found in module <secsipid>
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in
config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set
module parameter
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in
config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set
module parameter
kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex():
parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users <sr-users(a)lists.kamailio.org>
*Sent:* Thursday, June 20, 2024 3:14 PM
*To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
*Cc:* Blake Ivey <uga5324(a)gmail.com>
*Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not
click links or open attachments* unless you recognize the sender and know
the content is safe.
Hi everyone. Wanting to see if someone could point me in the right
direction. Still very knew to Kamailio but I am beginning to understand it
better. I'm making an outbound proxy and have everything working well
besides stir/shaken. I'm looking at the module page and have went back and
forth with chatGPT and can't seem to figure this part out. I keep getting
errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able
to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key",
"/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid",
"timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) {
if (!secsipid_add_identity("$fU", "$rU", "A",
"", "
http://myIPaddress.com/stir_shaken_cert.crt
<http://myipaddress.com/stir_shaken_cert.crt>",
"/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:
$fU\n");
send_reply("500", "Internal Server Error");
exit;
} else {
xlog("L_INFO", "Successfully signed call with ID: $ci - From:
$fU\n");
}
}
# Relay the call after signing
route(RELAY);
}
4:47 p.m.
Except for `expire` and `timeout`, those parameters don't exist for secsip id- at
least according to the module documentation:
https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
From: Blake Ivey <uga5324(a)gmail.com>
Sent: Thursday, June 20, 2024 3:39 PM
To: Ben Kaufman <bkaufman(a)bcmone.com>
Cc: sr-users(a)lists.kamailio.org
Subject: Re: [SR-Users] SecSIPID Assistance
CAUTION: This email originated from outside the organization. Do not click links or open
attachments unless you recognize the sender and know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter
<private_key> of type <1:string> not found in module <secsipid>
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config
file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config
file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter
kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter
<key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman
<bkaufman@bcmone.com<mailto:bkaufman@bcmone.com>> wrote:
What is the error you're getting?
Regards,
Kaufman
From: Blake Ivey via sr-users
<sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>>
Sent: Thursday, June 20, 2024 3:14 PM
To: Kamailio (SER) - Users Mailing List
<sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>>
Cc: Blake Ivey <uga5324@gmail.com<mailto:uga5324@gmail.com>>
Subject: [SR-Users] SecSIPID Assistance
CAUTION: This email originated from outside the organization. Do not click links or open
attachments unless you recognize the sender and know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right direction. Still very
knew to Kamailio but I am beginning to understand it better. I'm making an outbound
proxy and have everything working well besides stir/shaken. I'm looking at the module
page and have went back and forth with chatGPT and can't seem to figure this part out.
I keep getting errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able to reach and
download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key",
"/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid",
"timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) {
if (!secsipid_add_identity("$fU", "$rU", "A",
"",
"http://myIPaddress.com/stir_shaken_cert.crt<http://myipaddress.com/stir_shaken_cert.crt>",
"/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:
$fU\n");
send_reply("500", "Internal Server Error");
exit;
} else {
xlog("L_INFO", "Successfully signed call with ID: $ci - From:
$fU\n");
}
}
# Relay the call after signing
route(RELAY);
}
4:58 p.m.
Hmm you are correct. I took it out and it started fine. So what exactly
would I need for our outbound stirshaken?
Just secsipid_add_identity?
I guess I've been looking at this for too long today. Just lines and lines
after a while.
On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
Except for `expire` and `timeout`, those parameters
don’t exist for secsip
id- at least according to the module documentation:
https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
*From:* Blake Ivey <uga5324(a)gmail.com>
*Sent:* Thursday, June 20, 2024 3:39 PM
*To:* Ben Kaufman <bkaufman(a)bcmone.com>
*Cc:* sr-users(a)lists.kamailio.org
*Subject:* Re: [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not
click links or open attachments* unless you recognize the sender and know
the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter
<private_key> of type <1:string> not found in module <secsipid>
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in
config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set
module parameter
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in
config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set
module parameter
kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex():
parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users <sr-users(a)lists.kamailio.org>
*Sent:* Thursday, June 20, 2024 3:14 PM
*To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
*Cc:* Blake Ivey <uga5324(a)gmail.com>
*Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not
click links or open attachments* unless you recognize the sender and know
the content is safe.
Hi everyone. Wanting to see if someone could point me in the right
direction. Still very knew to Kamailio but I am beginning to understand it
better. I'm making an outbound proxy and have everything working well
besides stir/shaken. I'm looking at the module page and have went back and
forth with chatGPT and can't seem to figure this part out. I keep getting
errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able
to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key",
"/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid",
"timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) {
if (!secsipid_add_identity("$fU", "$rU", "A",
"", "
http://myIPaddress.com/stir_shaken_cert.crt
<http://myipaddress.com/stir_shaken_cert.crt>",
"/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:
$fU\n");
send_reply("500", "Internal Server Error");
exit;
} else {
xlog("L_INFO", "Successfully signed call with ID: $ci - From:
$fU\n");
}
}
# Relay the call after signing
route(RELAY);
}
5:32 p.m.
this is what i do (i have a redirect server receive the INVITEs to be
signed, I add the header and then do 302, the initiating server then add it
to the INVITE and sends the invite out:
if ($rm=="INVITE") {
$var(rc) = secsipid_add_identity("$(var(from){s.numeric})",
"$(var(to){s.numeric})", "A", "", "
https://pki.domain.com/stir-shaken-cert.pem"quot;,
"/etc/kamailio/ec256-private.pem");
if ( $var(rc) > 0 ) {
msg_apply_changes();
} else {
update_stat("stirshaken_create_identity_failed","+1");
send_reply("503", "Service Unavailable - can not create Identity
header");
exit;
}
append_to_reply("Identity: $hdr(Identity)\r\n");
}
sl_send_reply("302", "Redirect");
exit;
hope that helps
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Hmm you are correct. I took it out and it started
fine. So what exactly
would I need for our outbound stirshaken?
Just secsipid_add_identity?
I guess I've been looking at this for too long today. Just lines and lines
after a while.
On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
Except for `expire` and `timeout`, those
parameters don’t exist for
secsip id- at least according to the module documentation:
https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
*From:* Blake Ivey <uga5324(a)gmail.com>
*Sent:* Thursday, June 20, 2024 3:39 PM
*To:* Ben Kaufman <bkaufman(a)bcmone.com>
*Cc:* sr-users(a)lists.kamailio.org
*Subject:* Re: [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not
click links or open attachments* unless you recognize the sender and
know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter
<private_key> of type <1:string> not found in module <secsipid>
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error
in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set
module parameter
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error
in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set
module parameter
kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex():
parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users <sr-users(a)lists.kamailio.org>
*Sent:* Thursday, June 20, 2024 3:14 PM
*To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
*Cc:* Blake Ivey <uga5324(a)gmail.com>
*Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not
click links or open attachments* unless you recognize the sender and
know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right
direction. Still very knew to Kamailio but I am beginning to understand it
better. I'm making an outbound proxy and have everything working well
besides stir/shaken. I'm looking at the module page and have went back and
forth with chatGPT and can't seem to figure this part out. I keep getting
errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able
to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key",
"/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid",
"timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) {
if (!secsipid_add_identity("$fU", "$rU", "A",
"", "
http://myIPaddress.com/stir_shaken_cert.crt
<http://myipaddress.com/stir_shaken_cert.crt>",
"/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:
$fU\n");
send_reply("500", "Internal Server Error");
exit;
} else {
xlog("L_INFO", "Successfully signed call with ID: $ci - From:
$fU\n");
}
}
# Relay the call after signing
route(RELAY);
}
__________________________________________________________
Kamailio - Users
Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
8:43 p.m.
Thanks for the replies. I think I am understanding it better now. My issue
now is I am getting this error:
ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid
[secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get
identity header body (-451)
-451 = SJWTRetErrFileRead which I assume is either the certificate or the
private key. I am able to download the certificate using the URL so I guess
the key? I have permissions on the key as 600 (-rw-------) and the
user:group for it is kamailio.
It's still a self signed but I generated it with the TNAuthList, etc like a
production certificate. I have stir/shaken working on s production machine
but it uses libstirshaken and not secsipid.
Output of cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN =
sip-test.mydomain.net
Validity
Not Before: Jun 21 00:03:27 2024 GMT
Not After : Sep 24 00:03:27 2026 GMT
Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.",
OU = VOIP, CN = SHAKEN
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39:
33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95:
62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8:
a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5:
01:0c:fb:48:b0
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
1.3.6.1.5.5.7.1.26:
0.....1001
X509v3 Subject Key Identifier:
9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB
X509v3 Authority Key Identifier:
84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b:
d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb:
69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d:
c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb
On Thu, Jun 20, 2024 at 5:33 PM David Villasmil <
david.villasmil.work(a)gmail.com> wrote:
this is what i do (i have a redirect server receive
the INVITEs to be
signed, I add the header and then do 302, the initiating server then add it
to the INVITE and sends the invite out:
if ($rm=="INVITE") {
$var(rc) = secsipid_add_identity("$(var(from){s.numeric})",
"$(var(to){s.numeric})", "A", "", "
https://pki.domain.com/stir-shaken-cert.pem"quot;,
"/etc/kamailio/ec256-private.pem");
if ( $var(rc) > 0 ) {
msg_apply_changes();
} else {
update_stat("stirshaken_create_identity_failed","+1");
send_reply("503", "Service Unavailable - can not create Identity
header");
exit;
}
append_to_reply("Identity: $hdr(Identity)\r\n");
}
sl_send_reply("302", "Redirect");
exit;
hope that helps
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Hmm you are correct. I took it out and it started
fine. So what exactly
would I need for our outbound stirshaken?
Just secsipid_add_identity?
I guess I've been looking at this for too long today. Just lines and
lines after a while.
On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
Except for `expire` and `timeout`, those
parameters don’t exist for
secsip id- at least according to the module documentation:
https://kamailio.org/docs/modules/stable/modules/secsipid
Regards,
Kaufman
*From:* Blake Ivey <uga5324(a)gmail.com>
*Sent:* Thursday, June 20, 2024 3:39 PM
*To:* Ben Kaufman <bkaufman(a)bcmone.com>
*Cc:* sr-users(a)lists.kamailio.org
*Subject:* Re: [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not
click links or open attachments* unless you recognize the sender and
know the content is safe.
Sorry for the formatting:
ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter
<private_key> of type <1:string> not found in module <secsipid>
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error
in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set
module parameter
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error
in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set
module parameter
kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex():
parameter <key_path> of type <1:string> not found in module <secsipid>
On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
What is the error you’re getting?
Regards,
Kaufman
*From:* Blake Ivey via sr-users <sr-users(a)lists.kamailio.org>
*Sent:* Thursday, June 20, 2024 3:14 PM
*To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
*Cc:* Blake Ivey <uga5324(a)gmail.com>
*Subject:* [SR-Users] SecSIPID Assistance
*CAUTION:* This email originated from outside the organization. *Do not
click links or open attachments* unless you recognize the sender and
know the content is safe.
Hi everyone. Wanting to see if someone could point me in the right
direction. Still very knew to Kamailio but I am beginning to understand it
better. I'm making an outbound proxy and have everything working well
besides stir/shaken. I'm looking at the module page and have went back and
forth with chatGPT and can't seem to figure this part out. I keep getting
errors on the modparam lines.
Obviously this is a self signed cert because I'm just testing. I am able
to reach and download the cert from the Web server.
Thank you for any assistance.
# SECSIPID for Stir/Shaken
modparam("secsipid", "private_key",
"/etc/kamailio/secsipid/private.key")
modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
modparam("secsipid", "expire", 600) modparam("secsipid",
"timeout", 2)
route[STIRSHAKEN] {
if (is_method("INVITE")) {
if (!secsipid_add_identity("$fU", "$rU", "A",
"", "
http://myIPaddress.com/stir_shaken_cert.crt
<http://myipaddress.com/stir_shaken_cert.crt>",
"/etc/kamailio/secsipid/private.key")) {
xlog("L_ERR", "Failed to sign call with ID: $ci - From:
$fU\n");
send_reply("500", "Internal Server Error");
exit;
} else {
xlog("L_INFO", "Successfully signed call with ID: $ci -
From: $fU\n");
}
}
# Relay the call after signing
route(RELAY);
}
__________________________________________________________
Kamailio - Users
Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
9:33 p.m.
Disregard. It was my mistake. I had sp_key.pem in my kamailio config when
it was actually sp-key.pem. Doh. Took me way too long to see my mistake but
it is working now and adding the identity. Thanks for the help everyone!
On Thu, Jun 20, 2024 at 8:43 PM Blake Ivey <uga5324(a)gmail.com> wrote:
Thanks for the replies. I think I am understanding it
better now. My issue
now is I am getting this error:
ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid
[secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get
identity header body (-451)
-451 = SJWTRetErrFileRead which I assume is either the certificate or the
private key. I am able to download the certificate using the URL so I guess
the key? I have permissions on the key as 600 (-rw-------) and the
user:group for it is kamailio.
It's still a self signed but I generated it with the TNAuthList, etc like
a production certificate. I have stir/shaken working on s production
machine but it uses libstirshaken and not secsipid.
Output of cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN
= sip-test.mydomain.net
Validity
Not Before: Jun 21 00:03:27 2024 GMT
Not After : Sep 24 00:03:27 2026 GMT
Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.",
OU = VOIP, CN = SHAKEN
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39:
33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95:
62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8:
a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5:
01:0c:fb:48:b0
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
1.3.6.1.5.5.7.1.26:
0.....1001
X509v3 Subject Key Identifier:
9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB
X509v3 Authority Key Identifier:
84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b:
d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb:
69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d:
c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb
On Thu, Jun 20, 2024 at 5:33 PM David Villasmil <
david.villasmil.work(a)gmail.com> wrote:
> this is what i do (i have a redirect server receive the INVITEs to be
> signed, I add the header and then do 302, the initiating server then add it
> to the INVITE and sends the invite out:
>
> if ($rm=="INVITE") {
> $var(rc) = secsipid_add_identity("$(var(from){s.numeric})",
> "$(var(to){s.numeric})", "A", "", "
> https://pki.domain.com/stir-shaken-cert.pem"quot;,
> "/etc/kamailio/ec256-private.pem");
>
> if ( $var(rc) > 0 ) {
> msg_apply_changes();
> } else {
> update_stat("stirshaken_create_identity_failed","+1");
> send_reply("503", "Service Unavailable - can not create Identity
header");
> exit;
> }
>
> append_to_reply("Identity: $hdr(Identity)\r\n");
> }
> sl_send_reply("302", "Redirect");
> exit;
>
>
> hope that helps
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work(a)gmail.com
>
>
>
> On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users <
> sr-users(a)lists.kamailio.org> wrote:
>
>> Hmm you are correct. I took it out and it started fine. So what exactly
>> would I need for our outbound stirshaken?
>>
>> Just secsipid_add_identity?
>>
>> I guess I've been looking at this for too long today. Just lines and
>> lines after a while.
>>
>> On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
>>
>>> Except for `expire` and `timeout`, those parameters don’t exist for
>>> secsip id- at least according to the module documentation:
>>> https://kamailio.org/docs/modules/stable/modules/secsipid
>>>
>>>
>>>
>>> Regards,
>>>
>>> Kaufman
>>>
>>>
>>>
>>> *From:* Blake Ivey <uga5324(a)gmail.com>
>>> *Sent:* Thursday, June 20, 2024 3:39 PM
>>> *To:* Ben Kaufman <bkaufman(a)bcmone.com>
>>> *Cc:* sr-users(a)lists.kamailio.org
>>> *Subject:* Re: [SR-Users] SecSIPID Assistance
>>>
>>>
>>>
>>> *CAUTION:* This email originated from outside the organization. *Do
>>> not click links or open attachments* unless you recognize the sender
>>> and know the content is safe.
>>>
>>>
>>>
>>> Sorry for the formatting:
>>>
>>> ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter
>>> <private_key> of type <1:string> not found in module
<secsipid>
>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse
error
>>> in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set
>>> module parameter
>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse
error
>>> in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set
>>> module parameter
>>> kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex():
>>> parameter <key_path> of type <1:string> not found in module
<secsipid>
>>>
>>>
>>>
>>> On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
>>>
>>> What is the error you’re getting?
>>>
>>>
>>>
>>> Regards,
>>>
>>> Kaufman
>>>
>>>
>>>
>>>
>>>
>>> *From:* Blake Ivey via sr-users <sr-users(a)lists.kamailio.org>
>>> *Sent:* Thursday, June 20, 2024 3:14 PM
>>> *To:* Kamailio (SER) - Users Mailing List
<sr-users(a)lists.kamailio.org>
>>> *Cc:* Blake Ivey <uga5324(a)gmail.com>
>>> *Subject:* [SR-Users] SecSIPID Assistance
>>>
>>>
>>>
>>> *CAUTION:* This email originated from outside the organization. *Do
>>> not click links or open attachments* unless you recognize the sender
>>> and know the content is safe.
>>>
>>>
>>>
>>> Hi everyone. Wanting to see if someone could point me in the right
>>> direction. Still very knew to Kamailio but I am beginning to understand it
>>> better. I'm making an outbound proxy and have everything working well
>>> besides stir/shaken. I'm looking at the module page and have went back
and
>>> forth with chatGPT and can't seem to figure this part out. I keep
getting
>>> errors on the modparam lines.
>>>
>>>
>>>
>>> Obviously this is a self signed cert because I'm just testing. I am
>>> able to reach and download the cert from the Web server.
>>>
>>>
>>>
>>> Thank you for any assistance.
>>>
>>>
>>>
>>> # SECSIPID for Stir/Shaken
>>>
>>> modparam("secsipid", "private_key",
>>> "/etc/kamailio/secsipid/private.key")
>>>
>>> modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
>>>
>>> modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
>>>
>>> modparam("secsipid", "expire", 600)
modparam("secsipid", "timeout", 2)
>>>
>>>
>>>
>>> route[STIRSHAKEN] {
>>>
>>> if (is_method("INVITE")) {
>>>
>>> if (!secsipid_add_identity("$fU", "$rU",
"A", "", "
>>> http://myIPaddress.com/stir_shaken_cert.crt
>>> <http://myipaddress.com/stir_shaken_cert.crt>",
>>> "/etc/kamailio/secsipid/private.key")) {
>>>
>>> xlog("L_ERR", "Failed to sign call with ID: $ci -
From:
>>> $fU\n");
>>>
>>> send_reply("500", "Internal Server Error");
>>>
>>> exit;
>>>
>>> } else {
>>>
>>> xlog("L_INFO", "Successfully signed call with ID:
$ci -
>>> From: $fU\n");
>>>
>>> }
>>>
>>> }
>>>
>>>
>>>
>>> # Relay the call after signing
>>>
>>> route(RELAY);
>>>
>>> }
>>>
>>>
>>>
>>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>>
>
1 Jul
1 Jul
4:42 p.m.
Sorry to bring this back up, but I am struggling again and not sure what to
do.
I am trying to use my actual private key and cert from Peering Hub and I
keep getting:
SJWTRetErrPrvKeyInvalid = -151
I have done the following:
openssl ec -in private.pem -check
read EC key
EC Key valid.
writing EC key
openssl x509 -text -noout -in public.crt and it shows the cert information
and it is valid.
I have kamailio:kamailio as the key/cert owners with chmod 640 permissions
Does it matter that my cert is using .crt and not .pem?
Any suggestions on what to do from here? This is working with libstirshaken
but I am trying to migrate to secsipid.
Thanks for any assistance!
On Thu, Jun 20, 2024 at 9:33 PM Blake Ivey <uga5324(a)gmail.com> wrote:
Disregard. It was my mistake. I had sp_key.pem in my
kamailio config when
it was actually sp-key.pem. Doh. Took me way too long to see my mistake but
it is working now and adding the identity. Thanks for the help everyone!
On Thu, Jun 20, 2024 at 8:43 PM Blake Ivey <uga5324(a)gmail.com> wrote:
> Thanks for the replies. I think I am understanding it better now. My
> issue now is I am getting this error:
>
> ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid
> [secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get
> identity header body (-451)
>
> -451 = SJWTRetErrFileRead which I assume is either the certificate or the
> private key. I am able to download the certificate using the URL so I guess
> the key? I have permissions on the key as 600 (-rw-------) and the
> user:group for it is kamailio.
>
> It's still a self signed but I generated it with the TNAuthList, etc like
> a production certificate. I have stir/shaken working on s production
> machine but it uses libstirshaken and not secsipid.
>
> Output of cert:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d
> Signature Algorithm: ecdsa-with-SHA256
> Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN
> = sip-test.mydomain.net
> Validity
> Not Before: Jun 21 00:03:27 2024 GMT
> Not After : Sep 24 00:03:27 2026 GMT
> Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.",
> OU = VOIP, CN = SHAKEN
> Subject Public Key Info:
> Public Key Algorithm: id-ecPublicKey
> Public-Key: (256 bit)
> pub:
> 04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39:
> 33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95:
> 62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8:
> a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5:
> 01:0c:fb:48:b0
> ASN1 OID: prime256v1
> NIST CURVE: P-256
> X509v3 extensions:
> 1.3.6.1.5.5.7.1.26:
> 0.....1001
> X509v3 Subject Key Identifier:
>
> 9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB
> X509v3 Authority Key Identifier:
>
> 84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C
> Signature Algorithm: ecdsa-with-SHA256
> Signature Value:
> 30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b:
> d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb:
> 69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d:
> c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb
>
>
> On Thu, Jun 20, 2024 at 5:33 PM David Villasmil <
> david.villasmil.work(a)gmail.com> wrote:
>
>> this is what i do (i have a redirect server receive the INVITEs to be
>> signed, I add the header and then do 302, the initiating server then add it
>> to the INVITE and sends the invite out:
>>
>> if ($rm=="INVITE") {
>> $var(rc) = secsipid_add_identity("$(var(from){s.numeric})",
>> "$(var(to){s.numeric})", "A", "", "
>> https://pki.domain.com/stir-shaken-cert.pem"quot;,
>> "/etc/kamailio/ec256-private.pem");
>>
>> if ( $var(rc) > 0 ) {
>> msg_apply_changes();
>> } else {
>> update_stat("stirshaken_create_identity_failed","+1");
>> send_reply("503", "Service Unavailable - can not create Identity
>> header");
>> exit;
>> }
>>
>> append_to_reply("Identity: $hdr(Identity)\r\n");
>> }
>> sl_send_reply("302", "Redirect");
>> exit;
>>
>>
>> hope that helps
>>
>> Regards,
>>
>> David Villasmil
>> email: david.villasmil.work(a)gmail.com
>>
>>
>>
>> On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users <
>> sr-users(a)lists.kamailio.org> wrote:
>>
>>> Hmm you are correct. I took it out and it started fine. So what exactly
>>> would I need for our outbound stirshaken?
>>>
>>> Just secsipid_add_identity?
>>>
>>> I guess I've been looking at this for too long today. Just lines and
>>> lines after a while.
>>>
>>> On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
>>>
>>>> Except for `expire` and `timeout`, those parameters don’t exist for
>>>> secsip id- at least according to the module documentation:
>>>> https://kamailio.org/docs/modules/stable/modules/secsipid
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Kaufman
>>>>
>>>>
>>>>
>>>> *From:* Blake Ivey <uga5324(a)gmail.com>
>>>> *Sent:* Thursday, June 20, 2024 3:39 PM
>>>> *To:* Ben Kaufman <bkaufman(a)bcmone.com>
>>>> *Cc:* sr-users(a)lists.kamailio.org
>>>> *Subject:* Re: [SR-Users] SecSIPID Assistance
>>>>
>>>>
>>>>
>>>> *CAUTION:* This email originated from outside the organization. *Do
>>>> not click links or open attachments* unless you recognize the sender
>>>> and know the content is safe.
>>>>
>>>>
>>>>
>>>> Sorry for the formatting:
>>>>
>>>> ERROR: <core> [core/modparam.c:185]: set_mod_param_regex():
parameter
>>>> <private_key> of type <1:string> not found in module
<secsipid>
>>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse
>>>> error in config file /etc/kamailio/kamailio.cfg, line 71, column 73:
Can't
>>>> set module parameter
>>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse
>>>> error in config file /etc/kamailio/kamailio.cfg, line 71, column 70:
Can't
>>>> set module parameter
>>>> kamailio: ERROR: <core> [core/modparam.c:185]:
set_mod_param_regex():
>>>> parameter <key_path> of type <1:string> not found in module
<secsipid>
>>>>
>>>>
>>>>
>>>> On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman(a)bcmone.com>
wrote:
>>>>
>>>> What is the error you’re getting?
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Kaufman
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* Blake Ivey via sr-users <sr-users(a)lists.kamailio.org>
>>>> *Sent:* Thursday, June 20, 2024 3:14 PM
>>>> *To:* Kamailio (SER) - Users Mailing List
<sr-users(a)lists.kamailio.org
>>>> >
>>>> *Cc:* Blake Ivey <uga5324(a)gmail.com>
>>>> *Subject:* [SR-Users] SecSIPID Assistance
>>>>
>>>>
>>>>
>>>> *CAUTION:* This email originated from outside the organization. *Do
>>>> not click links or open attachments* unless you recognize the sender
>>>> and know the content is safe.
>>>>
>>>>
>>>>
>>>> Hi everyone. Wanting to see if someone could point me in the right
>>>> direction. Still very knew to Kamailio but I am beginning to understand
it
>>>> better. I'm making an outbound proxy and have everything working
well
>>>> besides stir/shaken. I'm looking at the module page and have went
back and
>>>> forth with chatGPT and can't seem to figure this part out. I keep
getting
>>>> errors on the modparam lines.
>>>>
>>>>
>>>>
>>>> Obviously this is a self signed cert because I'm just testing. I am
>>>> able to reach and download the cert from the Web server.
>>>>
>>>>
>>>>
>>>> Thank you for any assistance.
>>>>
>>>>
>>>>
>>>> # SECSIPID for Stir/Shaken
>>>>
>>>> modparam("secsipid", "private_key",
>>>> "/etc/kamailio/secsipid/private.key")
>>>>
>>>> modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
>>>>
>>>> modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
>>>>
>>>> modparam("secsipid", "expire", 600)
modparam("secsipid", "timeout", 2)
>>>>
>>>>
>>>>
>>>> route[STIRSHAKEN] {
>>>>
>>>> if (is_method("INVITE")) {
>>>>
>>>> if (!secsipid_add_identity("$fU", "$rU",
"A", "", "
>>>> http://myIPaddress.com/stir_shaken_cert.crt
>>>> <http://myipaddress.com/stir_shaken_cert.crt>",
>>>> "/etc/kamailio/secsipid/private.key")) {
>>>>
>>>> xlog("L_ERR", "Failed to sign call with ID:
$ci - From:
>>>> $fU\n");
>>>>
>>>> send_reply("500", "Internal Server
Error");
>>>>
>>>> exit;
>>>>
>>>> } else {
>>>>
>>>> xlog("L_INFO", "Successfully signed call with
ID: $ci -
>>>> From: $fU\n");
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>>
>>>>
>>>> # Relay the call after signing
>>>>
>>>> route(RELAY);
>>>>
>>>> }
>>>>
>>>>
>>>>
>>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>> To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply only
>>> to the sender!
>>> Edit mailing list options or unsubscribe:
>>>
>>
179
days inactive
190
days old
8 comments
3 participants
participants (3)
-
Ben Kaufman -
Blake Ivey -
David Villasmil