Pre-Submission Checklist

Type Of Change

Checklist:

Description

In TLS WolfSSL, enable initialization of the cipher_list from the domain config.
Also from this setting kamailio exposes dangerous ciphers like RC4, NULL
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_NULL_SHA (secp256r1) - F
| TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 - unknown
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_PSK_WITH_NULL_SHA256 (secp256r1) - F
| compressors:
| NULL
| cipher preference: server
| warnings:
| Broken cipher RC4 is deprecated by RFC 7465
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_AKE_WITH_AES_128_CCM_SHA256 (secp256r1) - A
| TLS_AKE_WITH_AES_128_CCM_8_SHA256 (secp256r1) - A
| TLS_AKE_WITH_NULL_SHA256 (secp256r1) - F
| TLS_AKE_WITH_NULL_SHA384 (secp256r1) - F
| cipher preference: server
|_ least strength: unknown

After apply patch:
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| cipher preference: server
|_ least strength: A

version: kamailio 5.8.3 (x86_64/linux) 6f8a04-dirty
AlmaLinux release 8.10 (Cerulean Leopard)

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/4012

Commit Summary

File Changes

(1 file)

Patch Links:


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/pull/4012@github.com>