<div dir="ltr">Hi,<div><br></div><div>it also depends on the version of OpenSSL, Kamailio was compiled against....</div><div><br></div><div>I can confirm, that Kamailio supports Elliptic Curve Diffie Hellmann (ECDHE), as I added support for it... ;-)</div><div><br></div><div>Thanks,</div><div>Carsten</div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-01-03 9:46 GMT+01:00 Karsten Horsmann <span dir="ltr"><<a href="mailto:khorsmann@gmail.com" target="_blank">khorsmann@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Hello,<div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">There is an ssldump example on <a href="http://kamailio.org" target="_blank">kamailio.org</a> wiki to see the cipher suits. </div><div dir="auto"><br></div><div dir="auto">AFAIK it depends on your certificate/ca and how you create it.</div><div dir="auto"><br></div><div dir="auto">I see this with an test self-signed certificate that I did with one cipher only. </div><div dir="auto"><br></div><div dir="auto">And of course you client need support for it. </div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">Am 02.01.2018 5:16 nachm. schrieb "Steve" <<a href="mailto:smh2017@zoho.com" target="_blank">smh2017@zoho.com</a>>:<br type="attribution"></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div text="#000000" bgcolor="#FFFFFF">
<p></p>
<p>
</p><p class="MsoNormal">I have a question about deploying TLSv1.2
with Kamailio
4.3.4-1 on a Lubuntu 16.4.3 desktop environment. I changed the
Kamailio default
<i>tls.cfg</i> file under the
section
[server:default] to “method=TLSv1.2” and am using OpenSSL 1.0.2g<span> </span>from the Lubuntu
repository. All the programs
were loaded through the Synaptic Package Manager.
</p>
<p class="MsoNormal">My question is whether this version of
Kamailio supports the
cipher suite ECDHE-RSA-AES256-GCM-SHA384. My version of OpenSSL
lists it as an
option, but the highest strength cipher that the Kamailio 4.3.4
server seems to
accept is RSA-AES256-GCM-SHA384. My (limited) understanding is
that ECDHE is a
better method of key exchange than RSA because it is ephemeral
with forward
secrecy. </p>
<p class="MsoNormal">I used Wireshark to look at the connection
protocols for sip
clients Jitsi and Blink with the Kamailio server. Jitsi offers
only four cipher
choices of what I understand are considered compromised security
TLS protocols
and it connected with the RSA-AES128-CBC-SHA cipher. Blink
offers 65 cipher
choices, starting with ECDHE-RSA-AES256-GCM-SHA384. My Kamailio
server accepted
the 29<sup>th</sup> offering on the list, RSA-AES256-GCM-SHA384.
Unless I am
missing something, Kamailio 4.3.4 doesn’t seem to support
ephemeral DH key
exchanges. Is there some other TLS configuration file or setting
for Kamailio that
can be changed to allow this?</p>
<p></p>
<div id="m_-8452394494004720091m_5244919164888980266DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid #d3d4de">
<tbody><tr>
<td style="width:55px;padding-top:13px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width:46px;height:29px"></a></td>
<td style="width:470px;padding-top:12px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link" style="color:#4453ea" target="_blank">www.avast.com</a>
</td>
</tr>
</tbody></table><a href="#m_-8452394494004720091_m_5244919164888980266_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></div>
<br></div></div>______________________________<wbr>_________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi<wbr>-bin/mailman/listinfo/sr-users</a><br>
<br></blockquote></div></div>
<br>______________________________<wbr>_________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Carsten Bock<br>CEO (Geschäftsführer)<br><br>ng-voice GmbH<br>Millerntorplatz 1<br>20359 Hamburg / Germany<br><br><a href="http://www.ng-voice.com" target="_blank">http://www.ng-voice.com</a><br>mailto:<a href="mailto:carsten@ng-voice.com" target="_blank">carsten@ng-voice.com</a><br><br>Office +49 40 5247593-40<br>Fax +49 40 5247593-99<br><br>Sitz der Gesellschaft: Hamburg<br>Registergericht: Amtsgericht Hamburg, HRB 120189<br>Geschäftsführer: Carsten Bock<br>Ust-ID: DE279344284<br><br>Hier finden Sie unsere handelsrechtlichen Pflichtangaben:<br><a href="http://www.ng-voice.com/imprint/" target="_blank">http://www.ng-voice.com/imprint/</a></div>
</div>