<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello,<br>
</p>
<br>
<div class="moz-cite-prefix">On 23.11.17 22:42, Ilyas Keskin wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8380a96b-a9d9-1761-48e3-f5bfd74b7a28@gmx.de">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p><tt>Hi there,</tt></p>
<p><tt>I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a
university project regarding WebRTC comunication. While
kamailio handles the signaling path I use the SIP.js demo
phone js application (hosted on the same machine as kamaillio)
for actual WebRTC stuff. </tt><tt><br>
</tt><tt>For a deeper understanding and documetation purposes I
have been trying to sniff the traffic with wireshark but
failed due to the fact that kamailio uses Elliptic Curve
Diffie Hellmann cipher suite (see wireshark snippet below)
which is not decryptable.</tt><tt><br>
</tt></p>
<p><tt>Secure Sockets Layer</tt><tt><br>
</tt><tt> TLSv1.2 Record Layer: Handshake Protocol: Server
Hello</tt><tt><br>
</tt><tt> Content Type: Handshake (22)</tt><tt><br>
</tt><tt> Version: TLS 1.2 (0x0303)</tt><tt><br>
</tt><tt> Length: 89</tt><tt><br>
</tt><tt> Handshake Protocol: Server Hello</tt><tt><br>
</tt><tt> Handshake Type: Server Hello (2)</tt><tt><br>
</tt><tt> Length: 85</tt><tt><br>
</tt><tt> Version: TLS 1.2 (0x0303)</tt><tt><br>
</tt><tt> Random:
b8916e4e0f7c712503a77afcf4c9228598092c166353be50...</tt><tt><br>
</tt><tt> Session ID Length: 32</tt><tt><br>
</tt><tt> Session ID:
b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...</tt><tt><br>
</tt><tt> Cipher Suite:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)</tt><tt><br>
</tt><tt> Compression Method: null (0)</tt><tt><br>
</tt><tt> Extensions Length: 13</tt><tt><br>
</tt><tt> Extension: renegotiation_info (len=1)</tt><tt><br>
</tt><tt> Extension: ec_point_formats (len=4)</tt><font
face="Courier New, Courier, monospace"><br>
</font><br>
</p>
<p><tt>I already tried importing captured SSLKEYLOG pre master
secret from chrome and private key file issued by letsencrypt
without success.</tt><tt><br>
</tt></p>
<p><tt>On top of that I set this line <br>
</tt></p>
<p><tt> SSLCipherSuite
!DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<br>
</tt></p>
<p><tt>in /etc/httpd/conf.d/ssl.conf and compiled openssl with
no-ec no-dh (which worked see below).</tt></p>
<p><tt>[admin@kamailio-sip ~]$ openssl ciphers<br>
SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA<br>
[admin@kamailio-sip ~]$</tt></p>
<p><tt><br>
</tt></p>
<p><tt>Setting <br>
</tt></p>
<p><tt> modparam("tls", "cipher_list", "AESCCM") <br>
</tt></p>
<p><tt>(or different ciphers) in /etc/kamailio/kamailio.cfg seems
to have no effect on the actual negoiated cipher suite.<br>
</tt></p>
<p><tt>Am I missing something? Any help or pointers into the right
direction will be much appreciated.</tt></p>
<br>
</blockquote>
<tt>are you also using tls.cfg? If yes, there is an attribute for
chiper list in it as well, try and see if works with it.<br>
<br>
Cheers,<br>
Daniel<br>
</tt>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>