Hi there,
I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a
          university project regarding WebRTC comunication. While
          kamailio handles the signaling path I use the SIP.js demo
          phone js application (hosted on the same machine as kamaillio)
          for actual WebRTC stuff. 


For a deeper understanding and documetation purposes I
          have been trying to sniff the traffic with wireshark but
          failed due to the fact that kamailio uses Elliptic Curve
          Diffie Hellmann cipher suite (see wireshark snippet below)
          which is not decryptable.


Secure Sockets Layer


    TLSv1.2 Record Layer: Handshake Protocol: Server
          Hello


        Content Type: Handshake (22)


        Version: TLS 1.2 (0x0303)


        Length: 89


        Handshake Protocol: Server Hello


            Handshake Type: Server Hello (2)


            Length: 85


            Version: TLS 1.2 (0x0303)


            Random:
          b8916e4e0f7c712503a77afcf4c9228598092c166353be50...


            Session ID Length: 32


            Session ID:
          b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...


            Cipher Suite:
          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)


            Compression Method: null (0)


            Extensions Length: 13


            Extension: renegotiation_info (len=1)


            Extension: ec_point_formats (len=4)
I already tried importing captured SSLKEYLOG pre master
          secret from chrome and private key file issued by letsencrypt
          without success.


On top of that I set this line 

        
    SSLCipherSuite
!DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
          

in /etc/httpd/conf.d/ssl.conf and compiled openssl with
          no-ec no-dh (which worked see below).
[admin@kamailio-sip ~]$ openssl ciphers

SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA

          [admin@kamailio-sip ~]$


Setting 

        
    modparam("tls", "cipher_list", "AESCCM") 

        
(or different ciphers) in /etc/kamailio/kamailio.cfg seems
          to have no effect on the actual negoiated cipher suite.

        
Am I missing something? Any help or pointers into the right
          direction will be much appreciated.
are you also using tls.cfg? If yes, there is an attribute for
      chiper list in it as well, try and see if works with it.

      
      Cheers,

      Daniel

    
-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com