<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.E-MailFormatvorlage18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">any error messages related to tls in the kamailio.log? Do you see in the logs that its actually set the ciphers?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">If you are using also a dedicated tls.cfg, you might need to place the cipher_list there.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Henning<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:35.4pt"><b><span lang="EN-GB">From:</span></b><span lang="EN-GB"> sr-users <sr-users-bounces@lists.kamailio.org>
<b>On Behalf Of </b>???? ????????<br>
</span><b>Sent:</b> Tuesday, August 2, 2022 3:14 PM<br>
<b>To:</b> sr-users@lists.kamailio.org<br>
<b>Subject:</b> [SR-Users] Support of ECDHE cipher suites for tls connection in kamailio<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-left:35.4pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">Hello.<br>
I have a question about support of ECDHE cipher suites in kamailio-5.6.0 in centos7 with installed OpenSSL 1.0.2k-fips. We received kamailio with its modules from
<a href="https://rpm.kamailio.org/">https://rpm.kamailio.org/</a>.<br>
Our client can use only cipher suites:<br>
<br>
TLS_AES_256_GCM_SHA384 (0x1302)<br>
TLS_CHACHA20_POLY1305_SHA256 (0x1303)<br>
TLS_AES_128_GCM_SHA256 (0x1301)<br>
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)<br>
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)<br>
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)<br>
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)<br>
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)<br>
<br>
And some of them are supported by our openssl:<br>
<br>
$ openssl cipher -V<br>
...<br>
0xC0,0x14 - ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1<br>
0xC0,0x0A - ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1<br>
...<br>
0xC0,0x13 - ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1<br>
0xC0,0x09 - ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1<br>
...<br>
<br>
But when trying to connect with, for example, cipher suite ECDHE-RSA-AES256-SHA (the same with other 3 cipher suites), we receive, that it is not allowed:<br>
<br>
$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher ECDHE-RSA-AES256-SHA<br>
...<br>
SSL handshake has read 7 bytes and written 121 bytes<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : 0000<br>
...<br>
<br>
To exclude the influence of other factors, I installed nginx on the same machine with usage of the same tls certificate and it can use cipher suites ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA.<br>
<br>
$ openssl s_client -connect ${nginx-serper-ip}:${nginx-server-port} -cipher ECDHE-RSA-AES256-SHA<br>
...<br>
SSL handshake has read 3271 bytes and written 406 bytes<br>
Verification: OK<br>
---<br>
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA<br>
Server public key is 2048 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : ECDHE-RSA-AES256-SHA<br>
...<br>
<br>
So, the reason of failed handshake is, probably, kamailio.<br>
Tried to add cipher_list modparam:<br>
<br>
modparam("tls", "cipher_list", "ECDHE-RSA-AES256-SHA")<br>
<br>
but result is the same:<br>
<br>
$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher ECDHE-RSA-AES256-SHA<br>
...<br>
SSL handshake has read 7 bytes and written 121 bytes<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : 0000<br>
...<br>
<br>
Can you, please, help me to add support of cipher suites ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA to kamailio?<o:p></o:p></p>
</div>
</div>
</body>
</html>