res_stir_shaken

stir_shaken.conf

[attestation]

STIR/SHAKEN attestation options

• global_disable - Globally disable verification
• private_key_file - File path to a certificate
• public_cert_url - URL to the public certificate
• attest_level - Attestation level
• unknown_tn_attest_level - Attestation level to use for unknown TNs
• check_tn_cert_public_url - On load, Retrieve all TN's certificates and validate their dates
• send_mky - Send a media key (mky) grant in the attestation for DTLS calls. (not common)

[tn]

STIR/SHAKEN TN options

• type - Must be of type 'tn'.
• private_key_file - File path to a certificate
• public_cert_url - URL to the public certificate
• attest_level - Attestation level
• check_tn_cert_public_url - On load, Retrieve all TN's certificates and validate their dates
• send_mky - Send a media key (mky) grant in the attestation for DTLS calls. (not common)

[verification]

STIR/SHAKEN verification options

• global_disable - Globally disable verification
• load_system_certs - A boolean indicating whether trusted CA certificates should be loaded from the system
• ca_file - Path to a file containing one or more CA certs in PEM format
• ca_path - Path to a directory containing one or more hashed CA certs
• crl_file - Path to a file containing one or more CRLs in PEM format
• crl_path - Path to a directory containing one or more hashed CRLs
• untrusted_cert_file - Path to a file containing one or more untrusted cert in PEM format used to verify CRLs
• untrusted_cert_path - Path to a directory containing one or more hashed untrusted certs used to verify CRLs
• cert_cache_dir - Directory to cache retrieved verification certs
• curl_timeout - Maximum time to wait to CURL certificates
• max_cache_entry_age - Number of seconds a cache entry may be behind current time
• max_cache_size - Maximum size to use for caching public keys
• max_iat_age - Number of seconds an iat grant may be behind current time
• max_date_header_age - Number of seconds a SIP Date header may be behind current time
• failure_action - The default failure action when not set on a profile
• use_rfc9410_responses - RFC9410 uses the STIR protocol on Reason headers instead of the SIP protocol
• ignore_sip_date_header - When set to true, will cause the verification process to not consider a missing or invalid SIP "Date" header to be a failure. This will make the IAT the sole "truth" for Date in the verification process.
• relax_x5u_port_scheme_restrictions - Relaxes check for "https" and port 443 or 8443 in incoming Identity header x5u URLs.
• relax_x5u_path_restrictions - Relaxes check for query parameters, user/password, etc. in incoming Identity header x5u URLs.
• x5u_acl - An existing ACL from acl.conf to use when checking hostnames in incoming Identity header x5u URLs.
• x5u_permit - An IP or subnet to permit when checking hostnames in incoming Identity header x5u URLs.
• x5u_deny - An IP or subnet to deny checking hostnames in incoming Identity header x5u URLs.

[profile]

STIR/SHAKEN profile configuration options

• type - Must be of type 'profile'.
• load_system_certs - A boolean indicating whether trusted CA certificates should be loaded from the system
• ca_file - Path to a file containing one or more CA certs in PEM format
• ca_path - Path to a directory containing one or more hashed CA certs
• crl_file - Path to a file containing one or more CRLs in PEM format
• crl_path - Path to a directory containing one or more hashed CRLs
• untrusted_cert_file - Path to a file containing one or more untrusted cert in PEM format used to verify CRLs
• untrusted_cert_path - Path to a directory containing one or more hashed untrusted certs used to verify CRLs
• cert_cache_dir - Directory to cache retrieved verification certs
• curl_timeout - Maximum time to wait to CURL certificates
• max_iat_age - Number of seconds an iat grant may be behind current time
• max_date_header_age - Number of seconds a SIP Date header may be behind current time
• ignore_sip_date_header - When set to true, will cause the verification process to not consider a missing or invalid SIP "Date" header to be a failure. This will make the IAT the sole "truth" for Date in the verification process.
• max_cache_entry_age - Number of seconds a cache entry may be behind current time
• max_cache_size - Maximum size to use for caching public keys
• failure_action - The default failure action when not set on a profile
• use_rfc9410_responses - RFC9410 uses the STIR protocol on Reason headers instead of the SIP protocol
• relax_x5u_port_scheme_restrictions - Relaxes check for "https" and port 443 or 8443 in incoming Identity header x5u URLs.
• relax_x5u_path_restrictions - Relaxes check for query parameters, user/password, etc. in incoming Identity header x5u URLs.
• x5u_acl - An existing ACL from acl.conf to use when checking hostnames in incoming Identity header x5u URLs.
• x5u_permit - An IP or subnet to permit when checking hostnames in incoming Identity header x5u URLs.
• x5u_deny - An IP or subnet to deny checking hostnames in incoming Identity header x5u URLs.
• check_tn_cert_public_url - On load, Retrieve all TN's certificates and validate their dates
• private_key_file - File path to a certificate
• public_cert_url - URL to the public certificate
• attest_level - Attestation level
• unknown_tn_attest_level - Attestation level to use for unknown TNs
• send_mky - Send a media key (mky) grant in the attestation for DTLS calls. (not common)
• endpoint_behavior - Actions performed when an endpoint references this profile