<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--></p>
<p><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]-->
<p class="MsoNormal">I have a question about deploying TLSv1.2
with Kamailio
4.3.4-1 on a Lubuntu 16.4.3 desktop environment. I changed the
Kamailio default
<i style="mso-bidi-font-style:normal">tls.cfg</i> file under the
section
[server:default] to “method=TLSv1.2” and am using OpenSSL 1.0.2g<span
style="mso-spacerun:yes"> </span>from the Lubuntu
repository. All the programs
were loaded through the Synaptic Package Manager.
</p>
<p class="MsoNormal">My question is whether this version of
Kamailio supports the
cipher suite ECDHE-RSA-AES256-GCM-SHA384. My version of OpenSSL
lists it as an
option, but the highest strength cipher that the Kamailio 4.3.4
server seems to
accept is RSA-AES256-GCM-SHA384. My (limited) understanding is
that ECDHE is a
better method of key exchange than RSA because it is ephemeral
with forward
secrecy. </p>
<p class="MsoNormal">I used Wireshark to look at the connection
protocols for sip
clients Jitsi and Blink with the Kamailio server. Jitsi offers
only four cipher
choices of what I understand are considered compromised security
TLS protocols
and it connected with the RSA-AES128-CBC-SHA cipher. Blink
offers 65 cipher
choices, starting with ECDHE-RSA-AES256-GCM-SHA384. My Kamailio
server accepted
the 29<sup>th</sup> offering on the list, RSA-AES256-GCM-SHA384.
Unless I am
missing something, Kamailio 4.3.4 doesn’t seem to support
ephemeral DH key
exchanges. Is there some other TLS configuration file or setting
for Kamailio that
can be changed to allow this?</p>
</p>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br />
<table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 13px;"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;" /></a></td>
<td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link" target="_blank" style="color: #4453ea;">www.avast.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>