Re: [SR-Users] TLSv1.2 and weak ciphers

Well, properly formulating the question is half-way to the solution :) I had to add cipher_list = HIGH:!ADH:!AECDH And all anon ciphers are gone. I hope this helps someone :) From: sr-users [mailto:sr-users-bounces@lists.sip-router.org] On Behalf Of Attila Megyeri Sent: Monday, May 4, 2015 2:18 PM To: Kamailio (SER) - Users Mailing List Subject: [SR-Users] TLSv1.2 and weak ciphers Hi Daniel, Kamailio folks, We are trying to make our server more secure, but we have some issues. Right now, we have set the TLS method to method = TLSv1+ and cipher_list = HIGH The problem is, that there are still cipher suites offered which are not secure. E.g. If I check with the SSLLabs analizer, I see: This server supports anonymous (insecure) suites (see below for details). Grade set to F. Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256 TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0xa7) INSECURE 256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x6d) INSECURE 256 TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89) INSECURE 256 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS 112 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 112 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b) INSECURE 112 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 3072 bits (p: 384, g: 1, Ys: 384) FS 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128 TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0xa6) INSECURE 128 TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x6c) INSECURE 128 TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34) INSECURE 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46) INSECURE 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128 How can we get rid of these _anon_ cipher suites? Thanks Attila