[kamailio/kamailio] Stirshaken module not handling certificate chain caching (Issue #3246)
19 Sep
2022
19 Sep
'22
6:40 p.m.
### Description
The stirshaken module has an option to cache certificates instead of downloading it using
http for each calls. The problem is that the module doesn't save the certificate
chain in the cached file.
from here:
https://github.com/kamailio/kamailio/blob/f7b35f05f31bd7cc01aea4572c79ba48d…
We see that only `cert->x` is saved to the file. It needs to save `cert->chainx` as
well.
Similarly, the load function should load both the x509 and associated x509 chain.
### Troubleshooting
#### Reproduction
To reproduce, we need to configure the stirshaken module to do cerrtificate caching:
```
modparam("stirshaken", "vs_verify_x509_cert_path", 1)
modparam("stirshaken", "vs_ca_dir", "/path/to/ca")
modparam("stirshaken", "vs_cache_certificates", 1)
modparam("stirshaken", "vs_cache_dir",
"/path/to/cert_cache")
modparam("stirshaken", "vs_cache_expire_s", 100)
```
Then send 2 calls featuring an identity header signed by a private key associated to a
public certificate that includes a chain such as
https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09
Verification for the fist call should work, but verification of x509 cert path will fail
on second call
#### SIP Traffic
Example sip INVITE that should help reproduce the problem.
```
INVITE sip:+13855551212@216.82.227.102:5060 SIP/2.0
Max-Forwards: 61
f: <sip:+13852194167@reg.mydomain.net>;tag=as04e1a3e0
t: <sip:+13851212@somedomain.net>
m: <sip:+13852194167@reg.mydomain.net:5060>
i: 59ede93214794e1033b27ed249a90f15(a)reg.mydomain.net
CSeq: 102 INVITE
Date: Mon, 19 Sep 2022 15:04:01 GMT
l: 0
Identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR…
```
### Possible Solutions
The module should save/load `cert->chainx` as well. Maybe a new set of function in
libstirshaken should be added to save/load a certificate (vs saving/loading x509)
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3246
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3246(a)github.com>
20 Sep
20 Sep
5:09 p.m.
If you know a solution and can implement it, you can make a PR that will be reviewed and
merged if all ok.
Note also that there is secsipid module offering STIR/SHAKEN, it has caching support as
well.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3246#issuecomment-1252410670
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3246/1252410670(a)github.com>
8 Dec
8 Dec
6:43 p.m.
https://github.com/kamailio/kamailio/pull/3289
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3246#issuecomment-1342924952
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3246/1342924952(a)github.com>
8:11 p.m.
@SylvainFontaineJive I've had this solved for quite some time now.
First, apply two patches to libstirshaken:
https://github.com/signalwire/libstirshaken/pull/124
https://github.com/signalwire/libstirshaken/pull/125
Then apply my PR that @henningw linked.
https://github.com/kamailio/kamailio/pull/3289
Then you should be all set. Feel free to share your feedback to those PRs if it works for
you.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3246#issuecomment-1343035434
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3246/1343035434(a)github.com>
16 Dec
16 Dec
3:28 p.m.
Close the issue, as the PR has been merged to Kamailio. The PRs towards the external
library are not merged yet, but this should be discussed in the issues there.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3246#issuecomment-1354692438
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3246/1354692438(a)github.com>
3:28 p.m.
Closed #3246 as completed.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3246#event-8056228808
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issue/3246/issue_event/8056228808(a)github.com>
708
days inactive
796
days old
5 comments
4 participants
participants (4)
-
Daniel-Constantin Mierla -
Henning Westerholt
-
mrtrev
-
Sylvain Fontaine