[prev in list] [next in list] [prev in thread] [next in thread]
List: serusers
Subject: Re: [SR-Users] TLSv1.3 support
From: Henning Westerholt <hw () gilawa ! com>
Date: 2022-08-17 16:09:44
Message-ID: AM6PR05MB5409AC85CCEE5FB0A5A40AB4BF6A9 () AM6PR05MB5409 ! eurprd05 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
For completeness – there is also another commit which is necessary: c73a4127dfab6
This is work in progress, but tests are always welcome.
From: Henning Westerholt
Sent: Wednesday, August 17, 2022 3:59 PM
To: Helio <hok.sh10@gmail.com>
Cc: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: RE: [SR-Users] TLSv1.3 support
Hello,
Please keep the list in CC.
Regarding opening new TLS 1.3 connection, this should work, but did not tested it \
right now. If not, open an issue on our tracker.
Regarding the option to restrict to only TSLv1.3 connection - I have added support \
for configuring this to git master version in commit 105600b3.
Maybe you can give it a try, the patch should probably apply to 5.6.x branch.
Cheers,
Henning
From: Helio <hok.sh10@gmail.com<mailto:hok.sh10@gmail.com>>
Sent: Wednesday, August 17, 2022 2:52 PM
To: Henning Westerholt <hw@gilawa.com<mailto:hw@gilawa.com>>
Subject: Re: [SR-Users] TLSv1.3 support
Regarding the full support, I would like to know if Kamailio can start a TLSv1.3 \
connection as a client. Another point is if we can restrict to accept only TLS v1.3 \
and not TLSv1.2 for instance.
Thanks,
Helio
Em ter., 16 de ago. de 2022 Ã s 11:45, Henning Westerholt \
<hw@gilawa.com<mailto:hw@gilawa.com>> escreveu: Hello,
not sure about the question about "full support", maybe you can add details.
Kamailio supports connection with TLSv1.3:
$ openssl s_client -connect \
kam04.tst.domain.net:5061<http://kam04.tst.domain.net:5061> -tls1_3 2>&1 | tail -n \
10 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Cheers,
Henning
From: sr-users <sr-users-bounces@lists.kamailio.org<mailto:sr-users-bounces@lists.kamailio.org>> \
On Behalf Of Helio
Sent: Monday, August 15, 2022 8:01 PM
To: sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>
Subject: [SR-Users] TLSv1.3 support
Hello,
I noticed that Kamailio has option TLSv1.2+. Does the Kamailio support full TLSv1.3? \
Or does it have any restrictions? BR,
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.E-MailFormatvorlage20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">For \
completeness – there is also another commit which is necessary: \
c73a4127dfab6<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB" \
style="mso-fareast-language:EN-US">This is work in progress, but tests are always \
welcome.<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB" \
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:35.4pt"><b><span \
lang="EN-GB">From:</span></b><span lang="EN-GB"> Henning Westerholt <br>
<b>Sent:</b> Wednesday, August 17, 2022 3:59 PM<br>
<b>To:</b> Helio <hok.sh10@gmail.com><br>
<b>Cc:</b> Kamailio (SER) - Users Mailing List \
<sr-users@lists.kamailio.org><br> <b>Subject:</b> RE: [SR-Users] TLSv1.3 \
support<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal" style="margin-left:35.4pt"><span \
lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal" \
style="margin-left:35.4pt"><span lang="EN-GB" \
style="mso-fareast-language:EN-US">Hello,<o:p></o:p></span></p> <p class="MsoNormal" \
style="margin-left:35.4pt"><span lang="EN-GB" \
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <p class="MsoNormal" \
style="margin-left:35.4pt"><span lang="EN-GB" \
style="mso-fareast-language:EN-US">Please keep the list in CC.<o:p></o:p></span></p> \
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" \
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <p class="MsoNormal" \
style="margin-left:35.4pt"><span lang="EN-GB" \
style="mso-fareast-language:EN-US">Regarding opening new TLS 1.3 connection, this \
should work, but did not tested it right now. If not, open an issue on our \
tracker.<o:p></o:p></span></p> <p class="MsoNormal" style="margin-left:35.4pt"><span \
lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <p \
class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" \
style="mso-fareast-language:EN-US">Regarding the option to restrict to only TSLv1.3 \
connection - I have added support for configuring this to git master version in \
commit </span><span lang="EN-GB">105600b3.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span \
lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal" \
style="margin-left:35.4pt"><span lang="EN-GB">Maybe you can give it a try, the patch \
should probably apply to 5.6.x branch.<o:p></o:p></span></p> <p class="MsoNormal" \
style="margin-left:35.4pt"><span lang="EN-GB"><o:p> </o:p></span></p> <p \
class="MsoNormal" style="margin-left:35.4pt"><span \
lang="EN-GB">Cheers,<o:p></o:p></span></p> <p class="MsoNormal" \
style="margin-left:35.4pt"><span lang="EN-GB"><o:p> </o:p></span></p> <p \
class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB">Henning</span><span \
lang="EN-GB" style="mso-fareast-language:EN-US"><o:p></o:p></span></p> <p \
class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-GB" \
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <div \
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p \
class="MsoNormal" style="margin-left:70.8pt"><b>From:</b> Helio <<a \
href="mailto:hok.sh10@gmail.com">hok.sh10@gmail.com</a>> <br>
<b>Sent:</b> Wednesday, August 17, 2022 2:52 PM<br>
<b>To:</b> Henning Westerholt <<a \
href="mailto:hw@gilawa.com">hw@gilawa.com</a>><br> <b>Subject:</b> Re: [SR-Users] \
TLSv1.3 support<o:p></o:p></p> </div>
<p class="MsoNormal" style="margin-left:70.8pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:70.8pt">Regarding the full support, I would \
like to know if Kamailio can start a TLSv1.3 connection as a client. Another point is \
if we can restrict to accept only TLS v1.3 and not TLSv1.2 for instance.<br> <br>
Thanks,<br>
Helio<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-left:70.8pt"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-left:70.8pt">Em ter., 16 de ago. de 2022 Ã s \
11:45, Henning Westerholt <<a href="mailto:hw@gilawa.com">hw@gilawa.com</a>> \
escreveu:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"> <div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> \
Hello,<o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> \
<o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">not sure about the question about "full support", maybe you can add \
details.</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">Kamailio supports connection with TLSv1.3:</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt">
<span lang="EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">$ openssl s_client -connect <a href="http://kam04.tst.domain.net:5061" \
target="_blank"> kam04.tst.domain.net:5061</a> -tls1_3 2>&1 | tail -n \
10</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt">
<span lang="EN-GB">Server public key is 4096 bit</span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">Secure Renegotiation IS NOT supported</span><o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt">
<span lang="EN-GB">Compression: NONE</span><o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">Expansion: NONE</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">No ALPN negotiated</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">Early data was not sent</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">Verify return code: 0 (ok)</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">Cheers,</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB"> </span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB">Henning</span><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt"> <span \
lang="EN-GB"> </span><o:p></o:p></p> <div style="border:none;border-top:solid \
#E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:106.2pt"> \
<b><span lang="EN-GB">From:</span></b><span lang="EN-GB"> sr-users <<a \
href="mailto:sr-users-bounces@lists.kamailio.org" \
target="_blank">sr-users-bounces@lists.kamailio.org</a>> <b>On Behalf Of \
</b>Helio<br> <b>Sent:</b> Monday, August 15, 2022 8:01 PM<br>
<b>To:</b> <a href="mailto:sr-users@lists.kamailio.org" \
target="_blank">sr-users@lists.kamailio.org</a><br> <b>Subject:</b> [SR-Users] \
TLSv1.3 support</span><o:p></o:p></p> </div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:106.2pt"> <span \
lang="EN-GB"> </span><o:p></o:p></p> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:106.2pt"> \
Hello,<o:p></o:p></p> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:106.2pt"> I \
noticed that Kamailio has option TLSv1.2+. Does the Kamailio support full TLSv1.3? Or \
does it have any restrictions?<o:p></o:p></p> </div>
<div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:106.2pt"> \
BR,<o:p></o:p></p> </div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--===============1032211032==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic