Well, properly formulating the question is half-way to the solution J
I had to add
cipher_list = HIGH:!ADH:!AECDH
And all anon ciphers are gone.
I hope this helps someone J
From: sr-users [mailto:sr-users-bounces@lists.sip-router.org] On Behalf Of Attila Megyeri
Sent: Monday, May 4, 2015 2:18 PM
To: Kamailio (SER) - Users Mailing List
Subject: [SR-Users] TLSv1.2 and weak ciphers
Hi Daniel, Kamailio folks,
We are trying to make our server more secure, but we have some issues.
Right now, we have set the TLS method to
method = TLSv1+
and
cipher_list = HIGH
The problem is, that there are still cipher suites offered which are not secure. E.g. If I check with the SSLLabs analizer, I see:
This server supports anonymous (insecure) suites (see below for details). Grade set to F.
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) | ||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS | 256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS | 256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS | 256 | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 256 | |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 256 | |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 256 | |
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 256 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE | 256 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0xa7) INSECURE | 256 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x6d) INSECURE | 256 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE | 256 | |
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89) INSECURE | 256 | |
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) | 256 | |
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) | 256 | |
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) | 256 | |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) | 256 | |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS | 112 | |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 112 | |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE | 112 | |
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b) INSECURE | 112 | |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) | 112 | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS | 128 | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 128 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 128 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 128 | |
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 128 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE | 128 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0xa6) INSECURE | 128 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x6c) INSECURE | 128 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34) INSECURE | 128 | |
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46) INSECURE | 128 | |
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) | 128 | |
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) | 128 | |
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) | 128 | |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) | 128 | |
How can we get rid of these _anon_ cipher suites?
Thanks
Attila