Hi Daniel, Kamailio folks,
We are trying to make our server more secure, but we have some issues.
Right now, we have set the TLS method to
method = TLSv1+
and
cipher_list = HIGH
The problem is, that there are still cipher suites offered which are not secure. E.g. If I check with the SSLLabs analizer, I see:
This server supports anonymous (insecure) suites (see below for details). Grade set to F.
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) | ||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS | 256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS | 256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS | 256 | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 256 | |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 256 | |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 256 | |
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 256 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE | 256 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0xa7) INSECURE | 256 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x6d) INSECURE | 256 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE | 256 | |
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89) INSECURE | 256 | |
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) | 256 | |
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) | 256 | |
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) | 256 | |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) | 256 | |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS | 112 | |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 112 | |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE | 112 | |
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b) INSECURE | 112 | |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) | 112 | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS | 128 | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 128 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 128 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 128 | |
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 3072 bits (p: 384, g: 1, Ys: 384) FS | 128 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE | 128 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0xa6) INSECURE | 128 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x6c) INSECURE | 128 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34) INSECURE | 128 | |
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46) INSECURE | 128 | |
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) | 128 | |
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) | 128 | |
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) | 128 | |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) | 128 |
How can we get rid of these _anon_ cipher suites?
Thanks
Attila