<div dir="ltr">Hi Arik,<div>I think that the problem is that you are using a configuration file for tls.</div><div>In this case you have to specify there the parameters like ciphers, because the module's ones will be ignored: <a href="http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config">http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config</a>.</div><div><br></div><div>Cheers,</div><div><br></div><div>Federico</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Dec 22, 2019 at 6:16 PM Arik Halperin <<a href="mailto:arik.halperin@s3code.com">arik.halperin@s3code.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Federico, Thank you<div><br></div><div>I added these lines to my config:</div><div><br></div><div><div>#!ifdef WITH_TLS</div><div># ----- tls params -----</div><div>modparam("tls","config","/usr/local/etc/kamailio/tls.cfg")</div><div>modparam("tls", "cipher_list", "HIGH")</div><div>modparam("tls", "tls_method", "TLSv1.2+")</div><div>#!endif</div></div><div><br></div><div>But it still doesn’t work. </div><div><br></div><div>I ran this test, but it still says:</div><div><br></div><div><table style="border-collapse:collapse;width:850px;margin:0px 10px 0px 0px;padding:0px;font-size:12px;line-height:20px;font-family:Arial,Helvetica,sans-serif;background-color:rgb(253,253,253)"><thead><tr><td id="gmail-m_2815738791719816572suitesHeading" colspan="3" style="color:rgb(0,157,223);font-weight:bold;padding-bottom:5px;vertical-align:middle;border-bottom:2px solid rgb(198,210,212);font-size:13px">Cipher Suites</td></tr></thead><tbody id="gmail-m_2815738791719816572suitesBody"><tr><td colspan="3" style="color:rgb(0,157,223);font-weight:bold;padding-bottom:5px;vertical-align:middle;padding-top:15px;border-bottom:1px solid rgb(198,210,212)"><span id="gmail-m_2815738791719816572hidecipher1" style="text-align:center;display:block;width:14px;height:14px;float:right"><img src="https://www.ssllabs.com/images/collapse.png" width="14" height="14" style="border: none;"></span><div style="float:left;width:825px"># TLS 1.0 (suites in server-preferred order)</div></td></tr></tbody><tbody><tr><td style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">TLS_RSA_WITH_AES_256_CBC_SHA (<code>0x35</code>) <b>WEAK</b></font></td><td style="width:50px;text-align:right;padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">256</font></td></tr><tr><td style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (<code>0x84</code>) <b>WEAK</b></font></td><td style="width:50px;text-align:right;padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">256</font></td></tr><tr><td style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">TLS_RSA_WITH_AES_128_CBC_SHA (<code>0x2f</code>) <b>WEAK</b></font></td><td style="width:50px;text-align:right;padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">128</font></td></tr><tr><td style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">TLS_RSA_WITH_SEED_CBC_SHA (<code>0x96</code>) <b>WEAK</b></font></td><td style="width:50px;text-align:right;padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">128</font></td></tr><tr><td style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (<code>0x41</code>) <b>WEAK</b></font></td><td style="width:50px;text-align:right;padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">128</font></td></tr><tr><td style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="red">TLS_RSA_WITH_RC4_128_SHA (<code>0x5</code>) <b>INSECURE</b></font></td><td style="width:50px;text-align:right;padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="red">128</font></td></tr><tr><td style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="red">TLS_RSA_WITH_RC4_128_MD5 (<code>0x4</code>) <b>INSECURE</b></font></td><td style="width:50px;text-align:right;padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="red">128</font></td></tr><tr><td style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle"><font color="#F88017">TLS_RSA_WITH_3DES_EDE_CBC_SHA (<code>0xa</code>) <b>WEAK</b></font></td></tr></tbody></table><div><br></div><div><br></div>I don’t know how to get rid of the insecure ones. </div><div><br></div><div>Best Regards,</div><div>Arik<br><div><br></div></div><div><div><br><blockquote type="cite"><div>On 10 Dec 2019, at 9:03, Federico Cabiddu <<a href="mailto:federico.cabiddu@gmail.com" target="_blank">federico.cabiddu@gmail.com</a>> wrote:</div><br><div><div dir="ltr">Hi,<div>for enabling a specific set of ciphers have a look at tls module's cipher_list param: <a href="http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list" target="_blank">http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list</a>.</div><div>For supporting specific versions of TLS look at tls_method param: <a href="http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method" target="_blank">http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method</a>.</div><div><br></div><div>Cheers,</div><div><br></div><div>Federico</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <<a href="mailto:arik.halperin@s3code.com" target="_blank">arik.halperin@s3code.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hello,<div><br></div><div>How can I disable:</div><div><br></div><div><font color="#F88017"><br></font><font color="red">TLS_RSA_WITH_RC4_128_SHA (<code>0x5</code>) <b>INSECURE</b></font><font color="red">128</font></div><div><font color="red"><br></font></div><div><font color="red">TLS_RSA_WITH_RC4_128_MD5 (<code>0x4</code>) <b>INSECURE</b></font><font color="red">128</font></div><div><font color="#F88017"><br></font></div><div>What should I put in cypher_list in order to disable the above?</div><div><br></div><div>I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1</div><div><br></div><div>Thanks,</div><div>Arik Halperin</div></div>_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>
_______________________________________________<br>Kamailio (SER) - Users Mailing List<br><a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br></div></blockquote></div><br></div></div>_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>