res_stir_shaken: STIR/SHAKEN module for Asterisk¶
This configuration documentation is for functionality provided by res_stir_shaken.
Configuration File: stir_shaken.conf¶
[attestation]: STIR/SHAKEN attestation options¶
Configuration Option Reference¶
Option Name | Type | Default Value | Regular Expression | Description |
---|---|---|---|---|
attest_level | Custom | false | Attestation level | |
check_tn_cert_public_url | Custom | no | false | On load, Retrieve all TN's certificates and validate their dates |
global_disable | Boolean | no | false | Globally disable verification |
private_key_file | String | false | File path to a certificate | |
public_cert_url | String | false | URL to the public certificate | |
send_mky | Custom | no | false | Send a media key (mky) grant in the attestation for DTLS calls. (not common) |
Configuration Option Descriptions¶
public_cert_url¶
Must be a valid http, or https, URL.
[tn]: STIR/SHAKEN TN options¶
Configuration Option Reference¶
Option Name | Type | Default Value | Regular Expression | Description |
---|---|---|---|---|
attest_level | Custom | false | Attestation level | |
check_tn_cert_public_url | Custom | no | false | On load, Retrieve all TN's certificates and validate their dates |
private_key_file | String | false | File path to a certificate | |
public_cert_url | String | false | URL to the public certificate | |
send_mky | Custom | no | false | Send a media key (mky) grant in the attestation for DTLS calls. (not common) |
type | None | false | Must be of type 'tn'. |
Configuration Option Descriptions¶
public_cert_url¶
Must be a valid http, or https, URL.
[verification]: STIR/SHAKEN verification options¶
Configuration Option Reference¶
Option Name | Type | Default Value | Regular Expression | Description |
---|---|---|---|---|
ca_file | String | false | Path to a file containing one or more CA certs | |
ca_path | String | false | Path to a directory containing one or more hashed CA certs | |
cert_cache_dir | String | /var/lib/asterisk/keys/stir_shaken/cache | false | Directory to cache retrieved verification certs |
crl_file | String | false | Path to a file containing a CRL | |
crl_path | String | false | Path to a directory containing one or more hashed CRLs | |
curl_timeout | Unsigned Integer | 2 | false | Maximum time to wait to CURL certificates |
failure_action | Custom | continue | false | The default failure action when not set on a profile |
global_disable | Boolean | no | false | Globally disable verification |
load_system_certs | Custom | no | false | A boolean indicating whether trusted CA certificates should be loaded from the system |
max_cache_entry_age | Unsigned Integer | 3600 | false | Number of seconds a cache entry may be behind current time |
max_cache_size | Unsigned Integer | 1000 | false | Maximum size to use for caching public keys |
max_date_header_age | Unsigned Integer | 15 | false | Number of seconds a SIP Date header may be behind current time |
max_iat_age | Unsigned Integer | 15 | false | Number of seconds an iat grant may be behind current time |
relax_x5u_path_restrictions | Custom | no | false | Relaxes check for query parameters, user/password, etc. in incoming Identity header x5u URLs. |
relax_x5u_port_scheme_restrictions | Custom | no | false | Relaxes check for "https" and port 443 or 8443 in incoming Identity header x5u URLs. |
use_rfc9410_responses | Custom | no | false | RFC9410 uses the STIR protocol on Reason headers instead of the SIP protocol |
x5u_acl | Custom | false | An existing ACL from acl.conf to use when checking hostnames in incoming Identity header x5u URLs. | |
x5u_deny | Custom | false | An IP or subnet to deny checking hostnames in incoming Identity header x5u URLs. | |
x5u_permit | Custom | false | An IP or subnet to permit when checking hostnames in incoming Identity header x5u URLs. |
Configuration Option Descriptions¶
failure_action¶
-
continue
- If set to 'continue', continue and let the dialplan decide what action to take. -
reject_request
- If set to 'reject_request', reject the incoming request with response codes defined in RFC8224. -
continue_return_reason
- If set to 'return_reason', continue to the dialplan but add a 'Reason' header to the sender in the next provisional response.
[profile]: STIR/SHAKEN profile configuration options¶
Configuration Option Reference¶
Option Name | Type | Default Value | Regular Expression | Description |
---|---|---|---|---|
attest_level | Custom | false | Attestation level | |
ca_file | String | false | Path to a file containing one or more CA certs | |
ca_path | String | false | Path to a directory containing one or more hashed CA certs | |
cert_cache_dir | String | false | Directory to cache retrieved verification certs | |
check_tn_cert_public_url | Custom | not_set | false | On load, Retrieve all TN's certificates and validate their dates |
crl_file | String | false | Path to a file containing a CRL | |
crl_path | String | false | Path to a directory containing one or more hashed CRLs | |
curl_timeout | Unsigned Integer | 0 | false | Maximum time to wait to CURL certificates |
endpoint_behavior | Custom | off | false | Actions performed when an endpoint references this profile |
failure_action | Custom | continue | false | What do do when a verification fails |
load_system_certs | Custom | not_set | false | A boolean indicating whether trusted CA certificates should be loaded from the system |
max_cache_entry_age | Unsigned Integer | 0 | false | Number of seconds a cache entry may be behind current time |
max_cache_size | Unsigned Integer | 0 | false | Maximum size to use for caching public keys |
max_date_header_age | Unsigned Integer | 0 | false | Number of seconds a SIP Date header may be behind current time |
max_iat_age | Unsigned Integer | 0 | false | Number of seconds an iat grant may be behind current time |
private_key_file | String | false | File path to a certificate | |
public_cert_url | String | false | URL to the public certificate | |
relax_x5u_path_restrictions | Custom | not_set | false | Relaxes check for query parameters, user/password, etc. in incoming Identity header x5u URLs. |
relax_x5u_port_scheme_restrictions | Custom | not_set | false | Relaxes check for "https" and port 443 or 8443 in incoming Identity header x5u URLs. |
send_mky | Custom | not_set | false | Send a media key (mky) grant in the attestation for DTLS calls. (not common) |
type | None | false | Must be of type 'profile'. | |
use_rfc9410_responses | Custom | not_set | false | RFC9410 uses the STIR protocol on Reason headers instead of the SIP protocol |
x5u_acl | Custom | false | An existing ACL from acl.conf to use when checking hostnames in incoming Identity header x5u URLs. | |
x5u_deny | Custom | false | An IP or subnet to deny checking hostnames in incoming Identity header x5u URLs. | |
x5u_permit | Custom | false | An IP or subnet to permit when checking hostnames in incoming Identity header x5u URLs. |
Configuration Option Descriptions¶
endpoint_behavior¶
-
off
- Don't do any STIR/SHAKEN processing. -
attest
- Attest on outgoing calls. -
verify
- Verify incoming calls. -
on
- Attest outgoing calls and verify incoming calls.
failure_action¶
-
continue
- If set to 'continue', continue and let the dialplan decide what action to take. -
reject_request
- If set to 'reject_request', reject the incoming request with response codes defined in RFC8224. -
return_reason
- If set to 'return_reason', continue to the dialplan but add a 'Reason' header to the sender in the next provisional response.
public_cert_url¶
Must be a valid http, or https, URL.
Generated Version¶
This documentation was generated from Asterisk branch 20 using version GIT