Hello,
any error messages related to tls in the kamailio.log? Do you see in the logs that its actually set the ciphers?
If you are using also a dedicated tls.cfg, you might need to place the cipher_list there.
Cheers,
Henning
From: sr-users sr-users-bounces@lists.kamailio.org On Behalf Of ???? ???????? Sent: Tuesday, August 2, 2022 3:14 PM To: sr-users@lists.kamailio.org Subject: [SR-Users] Support of ECDHE cipher suites for tls connection in kamailio
Hello. I have a question about support of ECDHE cipher suites in kamailio-5.6.0 in centos7 with installed OpenSSL 1.0.2k-fips. We received kamailio with its modules from https://rpm.kamailio.org/. Our client can use only cipher suites:
TLS_AES_256_GCM_SHA384 (0x1302) TLS_CHACHA20_POLY1305_SHA256 (0x1303) TLS_AES_128_GCM_SHA256 (0x1301) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
And some of them are supported by our openssl:
$ openssl cipher -V ... 0xC0,0x14 - ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 0xC0,0x0A - ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ... 0xC0,0x13 - ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 0xC0,0x09 - ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ...
But when trying to connect with, for example, cipher suite ECDHE-RSA-AES256-SHA (the same with other 3 cipher suites), we receive, that it is not allowed:
$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher ECDHE-RSA-AES256-SHA ... SSL handshake has read 7 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 ...
To exclude the influence of other factors, I installed nginx on the same machine with usage of the same tls certificate and it can use cipher suites ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA.
$ openssl s_client -connect ${nginx-serper-ip}:${nginx-server-port} -cipher ECDHE-RSA-AES256-SHA ... SSL handshake has read 3271 bytes and written 406 bytes Verification: OK --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA ...
So, the reason of failed handshake is, probably, kamailio. Tried to add cipher_list modparam:
modparam("tls", "cipher_list", "ECDHE-RSA-AES256-SHA")
but result is the same:
$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher ECDHE-RSA-AES256-SHA ... SSL handshake has read 7 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 ...
Can you, please, help me to add support of cipher suites ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA to kamailio?