Hello,
- In which format shall save CRL to comply with crl_file setting instir_haken.conf’s verification section ? Shall I use DER or PEM ?
- Whatever the answer is, would you find it appropriate to include it in stir_shaken.conf.sample ?
Best regards
After trial and error, a file in PEM format is accepted by Asterisk 20.8.1.
I don’t know if the failures I got with DER file comes from an Asterisk feature or from an invalid DER file (very likely).
I could successfully convert a CRL in DER format to a file in PEM format (starting with a ----BEGIN X509 CRL----- line ).
This last .pem file can be used in crl_file setting (in stir_haken.conf) while the one in .der can’t be used.
To me, this may demonstrate Asterisk 20.8.1 requires a file in PEM format but my understanding of x509 is much too thin to be affirmative.
Is this requirement correct ?
Does it deserve an explicit mention in stir_shaken.conf.sample ?
Please, note in the above description, that my above success criteria is “does reloading res_stir_shaken.so module works or not ?”.
Such reloading can work OK while treating incoming call still fail.
The ca_file, ca_path, crl_file and crl_path parameters are passed directly to OpenSSL’s X509_STORE_load_locations() API. The documentation for X509_STORE_load_locations() itself doesn’t directly say which is supported but other documentation for the API calls that X509_STORE_load_locations() calls say it supports both. I haven’t tried it, but I may have time tomorrow to give it a try.
You’ll have to give more information about the reloading issue. Exactly what did you change? Are you saying that calls failed with a reload but worked if asterisk was restarted?
I’ve not found any issue regarding res_stir_shaken.so reloading.
All I wanted to stress is that when using a DER CRL file, reloading res_stir_shaken.so triggered an error message while using a PEM CRL file, reloading res_stir_shaken.so didn’t trigger any error message.
So basically, in my testing, using PEM seems to be required.
My last addition to this thread was to clarify that while no error message was printed during res_stir_shaken.so reload, inbound calls still failed (detailed in a specific thread).
This clarification is to let someone reading this thread and also having issues with inbound calling, know he’s not the only one.
I’ll be very curious to read about your own testing as I expected DER format to be the favorite one for storing list of revoked certs.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.