104 lines
3.4 KiB
Plaintext
104 lines
3.4 KiB
Plaintext
|
;
|
||
|
; This file is used by the res_stir_shaken module to configure parameters
|
||
|
; used for STIR/SHAKEN.
|
||
|
;
|
||
|
; There are 2 sides to STIR/SHAKEN: attestation and verification.
|
||
|
;
|
||
|
; Attestation is done on outgoing calls and makes use out of the certificate
|
||
|
; objects. The cert located at path will be used to sign, and the cert
|
||
|
; located at public_cert_url will be placed in the Identity header to let the
|
||
|
; remote side know where to download the public cert from. These 2 certs must
|
||
|
; match; that is, the cert located at public_cert_url must be the public cert
|
||
|
; derived from the private cert located at path.
|
||
|
;
|
||
|
; Verification is done on incoming calls and doesn't rely on cert objects
|
||
|
; defined in this file.
|
||
|
;
|
||
|
; The general section applies to all STIR/SHAKEN operations. However,
|
||
|
; cache_max_size, curl_timeout, and signature_timeout only apply to the
|
||
|
; verification side.
|
||
|
;
|
||
|
; It's important to note that downloaded certificates are stored in
|
||
|
; <ast_config_AST_DATA_DIR>/keys/stir_shaken, which is usually
|
||
|
; /etc/asterisk/keys/stir_shaken, but may be changed depending on where your
|
||
|
; config directory is.
|
||
|
;
|
||
|
; Visit the wiki page:
|
||
|
; https://wiki.asterisk.org/wiki/display/AST/STIR+and+SHAKEN
|
||
|
;
|
||
|
; [general]
|
||
|
;
|
||
|
; File path to the certificate authority certificate
|
||
|
;ca_file=/etc/asterisk/stir/ca.crt
|
||
|
;
|
||
|
; File path to a chain of trust
|
||
|
;ca_path=/etc/asterisk/stir/ca
|
||
|
;
|
||
|
; Maximum size to use for caching public keys
|
||
|
;cache_max_size=1000
|
||
|
;
|
||
|
; Maximum time (in seconds) to wait to CURL certificates
|
||
|
;curl_timeout=2
|
||
|
;
|
||
|
; Amount of time (in seconds) a signature is valid for
|
||
|
;signature_timeout=15
|
||
|
;
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
;
|
||
|
; A certificate store is used to examine, and load all certificates found in a
|
||
|
; given directory. When using this type the public key URL is generated based
|
||
|
; upon the filename, and variable substitution.
|
||
|
;[certificates]
|
||
|
;
|
||
|
; type must be "store"
|
||
|
;type=store
|
||
|
;
|
||
|
; Path to a directory containing certificates
|
||
|
;path=/etc/asterisk/stir
|
||
|
;
|
||
|
; URL to the public certificate(s). Must contain variable '${CERTIFICATE}' used for
|
||
|
; substitution. '${CERTIFICATE}' will be replaced by the names of the files located
|
||
|
; at path.
|
||
|
; This will be put in the Identity header when signing.
|
||
|
;public_cert_url=http://mycompany.com/${CERTIFICATE}.pem
|
||
|
;
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
;
|
||
|
; Individual certificates are declared by using the certificate type.
|
||
|
;[alice]
|
||
|
;
|
||
|
; type must be "certificate"
|
||
|
;type=certificate
|
||
|
;
|
||
|
; File path to a certificate. This can be RSA or ECDSA, but eventually only ECDSA will be supported.
|
||
|
;path=/etc/asterisk/stir/alice.pem
|
||
|
;
|
||
|
; URL to the public certificate. Must be of type X509 and be derived from the
|
||
|
; certificate located at path.
|
||
|
; This will be put in the identity header when signing.
|
||
|
;public_cert_url=http://mycompany.com/alice.pem
|
||
|
;
|
||
|
; The caller ID number to match on
|
||
|
;caller_id_number=1234567
|
||
|
;
|
||
|
; Must have an attestation of A, B, or C
|
||
|
;attestation=C
|
||
|
;
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
;
|
||
|
; Profiles can be defined here which can be referenced by channel drivers.
|
||
|
;[my_profile]
|
||
|
;
|
||
|
; type must be "profile"
|
||
|
;type=profile
|
||
|
;
|
||
|
; Set stir_shaken to 'attest', 'verify', or 'on', which is the default
|
||
|
;stir_shaken=on
|
||
|
;
|
||
|
; You can specify an ACL that will be used strictly for the Identity header when downloading public certificates
|
||
|
;acllist=myacllist
|
||
|
;
|
||
|
; You can also do permit / deny lines if you want (also supports IPv6)
|
||
|
;permit=0.0.0.0/0.0.0.0
|
||
|
;deny=127.0.0.1
|