[prev in list] [next in list] [prev in thread] [next in thread]
List: openser-users
Subject: Re: [SR-Users] *** GMX Spamverdacht *** Re: Cannot disable EC Diffie Hellman cipher suite
From: Ilyas Keskin <ilyask92 () gmx ! de>
Date: 2017-11-24 20:02:10
Message-ID: 32376914-0f09-afaf-46c5-318bbd632cb8 () gmx ! de
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hey otron,
good call, but in the meantime I already tried setting the following
which should exclude all cipher suites and only use AES128 (afaik):
cipher_list = NONE:AES128-SHA256
Best regards,
Ilyas Keskin
Am 24.11.2017 um 20:48 schrieb otron2016@gmail.com:
> Just a guess but maybe later entries [like +HIGH:+MEDIUM:+LOW] put it
> back. Try switching the order so that !ECDHE and the others you're
> trying to exclude come after.
>
>
>
>
>
>
> Sent from Samsung Mobile
>
>
>
> -------- Original message --------
> From: Ilyas Keskin <ilyask92@gmx.de>
> Date: 11/24/2017 10:19 AM (GMT-08:00)
> To: miconda@gmail.com,"Kamailio (SER) - Users Mailing List"
> <sr-users@lists.kamailio.org>
> Subject: Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite
>
>
> Hi Daniel,
>
> yes I am using the tls.cfg file. I tried your suggestion to add the
> cipher suite string (notice the !EDCHE which I also added to the httpd
> ssl.conf) but nothing changed.
>
> [server:default]
> method = TLSv1
> cipher_list =
> !DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> verify_certificate = no
> require_certificate = no
> private_key = /etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem
> certificate = /etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem
> #ca_list = ./modules/tls/cacert.pem
> #crl = ./modules/tls/crl.pem
>
> Also here is a log snippet from tls module section of kamailio
> initialization. Notice first two lines. Also it seems to me the module
> actually ignores the local openssl installation and uses its own which
> has been compiled with the module itself (?).
> Other than that it seems to be accepting the cipher_list value just fine:
>
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_mod.c:355]: mod_init(): With ECDH-Support!
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_mod.c:358]: mod_init(): With Diffie Hellman
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_init.c:587]: init_tls_h(): tls: _init_tls_h: compiled with
> openssl version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f),
> kerberos support: on, compression: on
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_init.c:595]: init_tls_h(): tls: init_tls_h: installed openssl
> library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f),
> kerberos support: on, zlib compression:
> compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB
> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT
> -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tls
> [tls_init.c:649]: init_tls_h(): tls: openssl bug #1491 (crash/mem
> leaks on low memory) workaround enabled (on low memory tls operations
> will fail preemptively) with free
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core>
> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
> tls.low_mem_threshold1 has been changed to 7864320
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core>
> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
> tls.low_mem_threshold2 has been changed to 3932160
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
> [tm.c:594]: fixup_routes(): WARNING: t_on_branch("MANAGE_BRANCH"):
> empty/non existing route
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
> [tm.c:594]: fixup_routes(): WARNING: t_on_reply("MANAGE_REPLY"):
> empty/non existing route
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
> [tm.c:594]: fixup_routes(): WARNING: t_on_failure("MANAGE_FAILURE"):
> empty/non existing route
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core>
> [udp_server.c:175]: probe_max_receive_buffer(): SO_RCVBUF is initially
> 212992
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core>
> [udp_server.c:225]: probe_max_receive_buffer(): SO_RCVBUF is finally
> 425984
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:275]: fill_missing(): TLSs<default>: tls_method=12
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:287]: fill_missing(): TLSs<default>:
> certificate='/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:294]: fill_missing(): TLSs<default>: ca_list='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:301]: fill_missing(): TLSs<default>: crl='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:305]: fill_missing(): TLSs<default>: require_certificate=0
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:312]: fill_missing(): TLSs<default>:
> cipher_list='!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL'
>
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:319]: fill_missing(): TLSs<default>:
> private_key='/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:323]: fill_missing(): TLSs<default>: verify_certificate=0
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:326]: fill_missing(): TLSs<default>: verify_depth=9
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:670]: set_verification(): TLSs<default>: No client
> certificate required and no checks performed
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:275]: fill_missing(): TLSc<default>: tls_method=12
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:287]: fill_missing(): TLSc<default>: certificate='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:294]: fill_missing(): TLSc<default>: ca_list='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:301]: fill_missing(): TLSc<default>: crl='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:305]: fill_missing(): TLSc<default>: require_certificate=1
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:312]: fill_missing(): TLSc<default>: cipher_list='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:319]: fill_missing(): TLSc<default>: private_key='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:323]: fill_missing(): TLSc<default>: verify_certificate=1
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:326]: fill_missing(): TLSc<default>: verify_depth=9
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:655]: set_verification(): TLSc<default>: Server MUST
> present valid certificate
>
> Would it be possible to compile the tls module with certain openssl
> config switches (i.e. no-ec no-dh)?
> Any other ideas?
>
> Best regards,
> Ilyas Keskin
>
> Am 24.11.2017 um 15:45 schrieb Daniel-Constantin Mierla:
> >
> > Hello,
> >
> >
> > On 23.11.17 22:42, Ilyas Keskin wrote:
> > >
> > > Hi there,
> > >
> > > I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a
> > > university project regarding WebRTC comunication. While kamailio
> > > handles the signaling path I use the SIP.js demo phone js
> > > application (hosted on the same machine as kamaillio) for actual
> > > WebRTC stuff.
> > > For a deeper understanding and documetation purposes I have been
> > > trying to sniff the traffic with wireshark but failed due to the
> > > fact that kamailio uses Elliptic Curve Diffie Hellmann cipher suite
> > > (see wireshark snippet below) which is not decryptable.
> > >
> > > Secure Sockets Layer
> > > TLSv1.2 Record Layer: Handshake Protocol: Server Hello
> > > Content Type: Handshake (22)
> > > Version: TLS 1.2 (0x0303)
> > > Length: 89
> > > Handshake Protocol: Server Hello
> > > Handshake Type: Server Hello (2)
> > > Length: 85
> > > Version: TLS 1.2 (0x0303)
> > > Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
> > > Session ID Length: 32
> > > Session ID:
> > > b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
> > > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> > > Compression Method: null (0)
> > > Extensions Length: 13
> > > Extension: renegotiation_info (len=1)
> > > Extension: ec_point_formats (len=4)
> > >
> > > I already tried importing captured SSLKEYLOG pre master secret from
> > > chrome and private key file issued by letsencrypt without success.
> > >
> > > On top of that I set this line
> > >
> > > SSLCipherSuite
> > > !DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > >
> > >
> > > in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh
> > > (which worked see below).
> > >
> > > [admin@kamailio-sip ~]$ openssl ciphers
> > > SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-S \
> > > HA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-12 \
> > > 8-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-S \
> > > HA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SH \
> > > A:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
> > > [admin@kamailio-sip ~]$
> > >
> > >
> > > Setting
> > >
> > > modparam("tls", "cipher_list", "AESCCM")
> > >
> > > (or different ciphers) in /etc/kamailio/kamailio.cfg seems to have
> > > no effect on the actual negoiated cipher suite.
> > >
> > > Am I missing something? Any help or pointers into the right
> > > direction will be much appreciated.
> > >
> > >
> > are you also using tls.cfg? If yes, there is an attribute for chiper
> > list in it as well, try and see if works with it.
> >
> > Cheers,
> > Daniel
> > --
> > Daniel-Constantin Mierla
> > www.twitter.com/miconda --www.linkedin.com/in/miconda
> > Kamailio Advanced Training -www.asipto.com
> > Kamailio World Conference - May 14-16, 2018 -www.kamailioworld.com
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hey otron,</p>
<p>good call, but in the meantime I already tried setting the
following which should exclude all cipher suites and only use
AES128 (afaik): <br>
</p>
<p> cipher_list = NONE:AES128-SHA256<br>
</p>
<br>
Best regards,<br>
Ilyas Keskin<br>
<br>
<div class="moz-cite-prefix">Am 24.11.2017 um 20:48 schrieb
<a class="moz-txt-link-abbreviated" \
href="mailto:otron2016@gmail.com">otron2016@gmail.com</a>:<br> </div>
<blockquote type="cite"
cite="mid:8vuvdj4wcrj2dsxnmtoupjo3.1511552911332@email.android.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div>Just a guess but maybe later entries [like
+HIGH:+MEDIUM:+LOW] put it back. Try switching the order so
that !ECDHE and the others you're trying to exclude come after. </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div style="font-size:75%;color:#575757">Sent from Samsung
Mobile</div>
</div>
<br>
<br>
<br>
-------- Original message --------<br>
From: Ilyas Keskin <a class="moz-txt-link-rfc2396E" \
href="mailto:ilyask92@gmx.de"><ilyask92@gmx.de></a> <br> Date: 11/24/2017 \
10:19 AM (GMT-08:00) <br>
To: <a class="moz-txt-link-abbreviated" \
href="mailto:miconda@gmail.com">miconda@gmail.com</a>,"Kamailio (SER) - Users Mailing \
List"
<a class="moz-txt-link-rfc2396E" \
href="mailto:sr-users@lists.kamailio.org"><sr-users@lists.kamailio.org></a> \
<br> Subject: Re: [SR-Users] Cannot disable EC Diffie Hellman cipher
suite <br>
<br>
<br>
<p>Hi Daniel,</p>
<p>yes I am using the tls.cfg file. I tried your suggestion to add
the cipher suite string (notice the !EDCHE which I also added to
the httpd ssl.conf) but nothing changed.<br>
</p>
<p> [server:default]<br>
method = TLSv1<br>
cipher_list =
!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br>
verify_certificate = no<br>
require_certificate = no<br>
private_key =
/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem<br>
certificate =
/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem<br>
#ca_list = ./modules/tls/cacert.pem<br>
#crl = ./modules/tls/crl.pem</p>
<p>Also here is a log snippet from tls module section of kamailio
initialization. Notice first two lines. Also it seems to me the
module actually ignores the local openssl installation and uses
its own which has been compiled with the module itself (?). <br>
Other than that it seems to be accepting the cipher_list value
just fine:<br>
</p>
<p>Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
tls [tls_mod.c:355]: mod_init(): With ECDH-Support!<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_mod.c:358]: mod_init(): With Diffie Hellman<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_init.c:587]: init_tls_h(): tls: _init_tls_h: compiled
with openssl version "OpenSSL 1.0.1e-fips 11 Feb 2013"
(0x1000105f), kerberos support: on, compression: on<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_init.c:595]: init_tls_h(): tls: init_tls_h: installed
openssl library version "OpenSSL 1.0.1e-fips 11 Feb 2013"
(0x1000105f), kerberos support: on, zlib compression:<br>
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING:
tls [tls_init.c:649]: init_tls_h(): tls: openssl bug #1491
(crash/mem leaks on low memory) workaround enabled (on low
memory tls operations will fail preemptively) with free<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
<core> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO:
cfg_set_now(): tls.low_mem_threshold1 has been changed to
7864320<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
<core> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO:
cfg_set_now(): tls.low_mem_threshold2 has been changed to
3932160<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING:
tm [tm.c:594]: fixup_routes(): WARNING:
t_on_branch("MANAGE_BRANCH"): empty/non existing route<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING:
tm [tm.c:594]: fixup_routes(): WARNING:
t_on_reply("MANAGE_REPLY"): empty/non existing route<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING:
tm [tm.c:594]: fixup_routes(): WARNING:
t_on_failure("MANAGE_FAILURE"): empty/non existing route<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
<core> [udp_server.c:175]: probe_max_receive_buffer():
SO_RCVBUF is initially 212992<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
<core> [udp_server.c:225]: probe_max_receive_buffer():
SO_RCVBUF is finally 425984<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:275]: fill_missing(): TLSs<default>:
tls_method=12<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:287]: fill_missing(): TLSs<default>:
certificate='/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:294]: fill_missing(): TLSs<default>:
ca_list='(null)'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:301]: fill_missing(): TLSs<default>:
crl='(null)'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:305]: fill_missing(): TLSs<default>:
require_certificate=0<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:312]: fill_missing(): TLSs<default>:
cipher_list='!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:319]: fill_missing(): TLSs<default>:
private_key='/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:323]: fill_missing(): TLSs<default>:
verify_certificate=0<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:326]: fill_missing(): TLSs<default>:
verify_depth=9<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:670]: set_verification(): TLSs<default>: No
client certificate required and no checks performed<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:275]: fill_missing(): TLSc<default>:
tls_method=12<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:287]: fill_missing(): TLSc<default>:
certificate='(null)'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:294]: fill_missing(): TLSc<default>:
ca_list='(null)'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:301]: fill_missing(): TLSc<default>:
crl='(null)'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:305]: fill_missing(): TLSc<default>:
require_certificate=1<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:312]: fill_missing(): TLSc<default>:
cipher_list='(null)'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:319]: fill_missing(): TLSc<default>:
private_key='(null)'<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:323]: fill_missing(): TLSc<default>:
verify_certificate=1<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:326]: fill_missing(): TLSc<default>:
verify_depth=9<br>
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:655]: set_verification(): TLSc<default>:
Server MUST present valid certificate</p>
<p>Would it be possible to compile the tls module with certain
openssl config switches (i.e. no-ec no-dh)?<br>
Any other ideas?<br>
<br>
Best regards,<br>
Ilyas Keskin<br>
</p>
<div class="moz-cite-prefix">Am 24.11.2017 um 15:45 schrieb
Daniel-Constantin Mierla:<br>
</div>
<blockquote type="cite"
cite="mid:343748a6-7f53-93ba-f679-f21639b15687@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<p>Hello,<br>
</p>
<br>
<div class="moz-cite-prefix">On 23.11.17 22:42, Ilyas Keskin
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8380a96b-a9d9-1761-48e3-f5bfd74b7a28@gmx.de">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<p><tt>Hi there,</tt></p>
<p><tt>I have set up a Kamailio 4.2.0 SIP server (centOS 7)
for a university project regarding WebRTC comunication.
While kamailio handles the signaling path I use the SIP.js
demo phone js application (hosted on the same machine as
kamaillio) for actual WebRTC stuff. </tt><tt><br>
</tt><tt>For a deeper understanding and documetation
purposes I have been trying to sniff the traffic with
wireshark but failed due to the fact that kamailio uses
Elliptic Curve Diffie Hellmann cipher suite (see wireshark
snippet below) which is not decryptable.</tt><tt><br>
</tt></p>
<p><tt>Secure Sockets Layer</tt><tt><br>
</tt><tt> TLSv1.2 Record Layer: Handshake Protocol:
Server Hello</tt><tt><br>
</tt><tt> Content Type: Handshake (22)</tt><tt><br>
</tt><tt> Version: TLS 1.2 (0x0303)</tt><tt><br>
</tt><tt> Length: 89</tt><tt><br>
</tt><tt> Handshake Protocol: Server Hello</tt><tt><br>
</tt><tt> Handshake Type: Server Hello (2)</tt><tt><br>
</tt><tt> Length: 85</tt><tt><br>
</tt><tt> Version: TLS 1.2 (0x0303)</tt><tt><br>
</tt><tt> Random:
b8916e4e0f7c712503a77afcf4c9228598092c166353be50...</tt><tt><br>
</tt><tt> Session ID Length: 32</tt><tt><br>
</tt><tt> Session ID:
b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...</tt><tt><br>
</tt><tt> Cipher Suite:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)</tt><tt><br>
</tt><tt> Compression Method: null (0)</tt><tt><br>
</tt><tt> Extensions Length: 13</tt><tt><br>
</tt><tt> Extension: renegotiation_info (len=1)</tt><tt><br>
</tt><tt> Extension: ec_point_formats (len=4)</tt><font
face="Courier New, Courier, monospace"><br>
</font><br>
</p>
<p><tt>I already tried importing captured SSLKEYLOG pre master
secret from chrome and private key file issued by
letsencrypt without success.</tt><tt><br>
</tt></p>
<p><tt>On top of that I set this line <br>
</tt></p>
<p><tt> SSLCipherSuite
!DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<br>
</tt></p>
<p><tt>in /etc/httpd/conf.d/ssl.conf and compiled openssl with
no-ec no-dh (which worked see below).</tt></p>
<p><tt>[admin@kamailio-sip ~]$ openssl ciphers<br>
SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384: \
AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SR \
P-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:S \
EED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SR \
P-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA<br>
[admin@kamailio-sip ~]$</tt></p>
<p><tt><br>
</tt></p>
<p><tt>Setting <br>
</tt></p>
<p><tt> modparam("tls", "cipher_list", "AESCCM") <br>
</tt></p>
<p><tt>(or different ciphers) in /etc/kamailio/kamailio.cfg
seems to have no effect on the actual negoiated cipher
suite.<br>
</tt></p>
<p><tt>Am I missing something? Any help or pointers into the
right direction will be much appreciated.</tt></p>
<br>
</blockquote>
<tt>are you also using tls.cfg? If yes, there is an attribute
for chiper list in it as well, try and see if works with it.<br>
<br>
Cheers,<br>
Daniel<br>
</tt>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" \
moz-do-not-send="true">www.twitter.com/miconda</a> -- <a \
class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" \
moz-do-not-send="true">www.linkedin.com/in/miconda</a> Kamailio Advanced Training - \
<a class="moz-txt-link-abbreviated" href="http://www.asipto.com" \
moz-do-not-send="true">www.asipto.com</a> Kamailio World Conference - May 14-16, 2018 \
- <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com" \
moz-do-not-send="true">www.kamailioworld.com</a></pre> </blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" \
href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a> <a \
class="moz-txt-link-freetext" \
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
</body>
</html>
[Attachment #6 (text/plain)]
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic