Hi Daniel, Kamailio folks,

 

We are trying to make our server more secure, but we have some issues.

 

Right now, we have set the TLS method to

method = TLSv1+

 

and

 

cipher_list = HIGH

 

The problem is, that there are still cipher suites offered which are not secure. E.g. If I check with the SSLLabs analizer, I see:

 

 

This server supports anonymous (insecure) suites (see below for details). Grade set to F.

 

 

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

256

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

256

TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE

256

TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0xa7)   INSECURE

256

TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x6d)   INSECURE

256

TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a)   INSECURE

256

TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89)   INSECURE

256

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)

256

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

256

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

256

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)

256

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH 256 bits (eq. 3072 bits RSA)   FS

112

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

112

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE

112

TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b)   INSECURE

112

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

112

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

128

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

128

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

128

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

128

TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE

128

TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0xa6)   INSECURE

128

TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x6c)   INSECURE

128

TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34)   INSECURE

128

TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46)   INSECURE

128

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)

128

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)

128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

128

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)

128

 

How can we get rid of these _anon_ cipher suites?

 

Thanks

Attila