Re: [SR-Users] * GMX Spamverdacht * Re: Cannot disable EC Diffie Hellman cipher suite

24 Nov 2017

Hey otron,

good call, but in the meantime I already tried setting the following 
which should exclude all cipher suites and only use AES128 (afaik):

     cipher_list = NONE:AES128-SHA256

Best regards,
Ilyas Keskin

Am 24.11.2017 um 20:48 schrieb otron2016(a)gmail.com:
...
  Just a guess but maybe later entries [like
+HIGH:+MEDIUM:+LOW] put it 
 back.  Try switching the order so that !ECDHE and the others you're 
 trying to exclude come after.

 Sent from Samsung Mobile

 -------- Original message --------
 From: Ilyas Keskin &lt;ilyask92(a)gmx.de&gt;
 Date: 11/24/2017 10:19 AM (GMT-08:00)
 To: miconda(a)gmail.com,&quot;Kamailio (SER) - Users Mailing List" 
 &lt;sr-users(a)lists.kamailio.org&gt;
 Subject: Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite

 Hi Daniel,

 yes I am using the tls.cfg file. I tried your suggestion to add the 
 cipher suite string (notice the !EDCHE which I also added to the httpd 
 ssl.conf) but nothing changed.

     [server:default]
     method = TLSv1
     cipher_list = 
 !DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
     verify_certificate = no
     require_certificate = no
     private_key = /etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem
     certificate = /etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem
     #ca_list = ./modules/tls/cacert.pem
     #crl = ./modules/tls/crl.pem

 Also here is a log snippet from tls module section of kamailio 
 initialization. Notice first two lines. Also it seems to me the module 
 actually ignores the local openssl installation and uses its own which 
 has been compiled with the module itself (?).
 Other than that it seems to be accepting the cipher_list value just fine:

 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_mod.c:355]: mod_init(): With ECDH-Support!
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_mod.c:358]: mod_init(): With Diffie Hellman
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_init.c:587]: init_tls_h(): tls: _init_tls_h:  compiled with  
 openssl  version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), 
 kerberos support: on, compression: on
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_init.c:595]: init_tls_h(): tls: init_tls_h: installed openssl 
 library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), 
 kerberos support: on,  zlib compression:
 compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB 
 -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT 
 -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tls 
 [tls_init.c:649]: init_tls_h(): tls: openssl bug #1491 (crash/mem 
 leaks on low memory) workaround enabled (on low memory tls operations 
 will fail preemptively) with free
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core> 
 [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): 
 tls.low_mem_threshold1 has been changed to 7864320
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core> 
 [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): 
 tls.low_mem_threshold2 has been changed to 3932160
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm 
 [tm.c:594]: fixup_routes(): WARNING: t_on_branch("MANAGE_BRANCH"): 
 empty/non existing route
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm 
 [tm.c:594]: fixup_routes(): WARNING: t_on_reply("MANAGE_REPLY"): 
 empty/non existing route
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm 
 [tm.c:594]: fixup_routes(): WARNING: t_on_failure("MANAGE_FAILURE"): 
 empty/non existing route
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core> 
 [udp_server.c:175]: probe_max_receive_buffer(): SO_RCVBUF is initially 
 212992
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core> 
 [udp_server.c:225]: probe_max_receive_buffer(): SO_RCVBUF is finally 
 425984
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:275]: fill_missing(): TLSs<default>: tls_method=12
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:287]: fill_missing(): TLSs<default>: 
 certificate='/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:294]: fill_missing(): TLSs<default>: ca_list='(null)'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:301]: fill_missing(): TLSs<default>: crl='(null)'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:305]: fill_missing(): TLSs<default>: require_certificate=0
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:312]: fill_missing(): TLSs<default>: 

cipher_list='!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:319]: fill_missing(): TLSs<default>: 
 private_key='/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:323]: fill_missing(): TLSs<default>: verify_certificate=0
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:326]: fill_missing(): TLSs<default>: verify_depth=9
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:670]: set_verification(): TLSs<default>: No client 
 certificate required and no checks performed
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:275]: fill_missing(): TLSc<default>: tls_method=12
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:287]: fill_missing(): TLSc<default>: certificate='(null)'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:294]: fill_missing(): TLSc<default>: ca_list='(null)'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:301]: fill_missing(): TLSc<default>: crl='(null)'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:305]: fill_missing(): TLSc<default>: require_certificate=1
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:312]: fill_missing(): TLSc<default>: cipher_list='(null)'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:319]: fill_missing(): TLSc<default>: private_key='(null)'
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:323]: fill_missing(): TLSc<default>: verify_certificate=1
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:326]: fill_missing(): TLSc<default>: verify_depth=9
 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
 [tls_domain.c:655]: set_verification(): TLSc<default>: Server MUST 
 present valid certificate

 Would it be possible to compile the tls module with certain openssl 
 config switches (i.e. no-ec no-dh)?
 Any other ideas?

 Best regards,
 Ilyas Keskin

 Am 24.11.2017 um 15:45 schrieb Daniel-Constantin Mierla:

 Hello,

 On 23.11.17 22:42, Ilyas Keskin wrote:

 Hi there,

 I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a 
 university project regarding WebRTC comunication. While kamailio 
 handles the signaling path I use the SIP.js demo phone js 
 application (hosted on the same machine as kamaillio) for actual 
 WebRTC stuff.
 For a deeper understanding and documetation purposes I have been 
 trying to sniff the traffic with wireshark but failed due to the 
 fact that kamailio uses Elliptic Curve Diffie Hellmann cipher suite 
 (see wireshark snippet below) which is not decryptable.

 Secure Sockets Layer
     TLSv1.2 Record Layer: Handshake Protocol: Server Hello
         Content Type: Handshake (22)
         Version: TLS 1.2 (0x0303)
         Length: 89
         Handshake Protocol: Server Hello
             Handshake Type: Server Hello (2)
             Length: 85
             Version: TLS 1.2 (0x0303)
             Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
             Session ID Length: 32
             Session ID: 
 b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
             Compression Method: null (0)
             Extensions Length: 13
             Extension: renegotiation_info (len=1)
             Extension: ec_point_formats (len=4)

 I already tried importing captured SSLKEYLOG pre master secret from 
 chrome and private key file issued by letsencrypt without success.

 On top of that I set this line

     SSLCipherSuite 
 !DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 

 in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh 
 (which worked see below).

 [admin@kamailio-sip ~]$ openssl ciphers

SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
 [admin@kamailio-sip ~]$

 Setting

     modparam("tls", "cipher_list", "AESCCM")

 (or different ciphers) in /etc/kamailio/kamailio.cfg seems to have 
 no effect on the actual negoiated cipher suite.

 Am I missing something? Any help or pointers into the right 
 direction will be much appreciated.

  are you also using tls.cfg? If yes, there is an attribute for chiper 
 list in it as well, try and see if works with it.

 Cheers,
 Daniel
 -- 
 Daniel-Constantin Mierla
 www.twitter.com/miconda  --www.linkedin.com/in/miconda
 Kamailio Advanced Training -www.asipto.com
 Kamailio World Conference - May 14-16, 2018 -www.kamailioworld.com 

 _______________________________________________
 Kamailio (SER) - Users Mailing List
 sr-users(a)lists.kamailio.org
 https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Re: [SR-Users] * GMX Spamverdacht * Re: Cannot disable EC Diffie Hellman cipher suite

Re: [SR-Users] *** GMX Spamverdacht *** Re: Cannot disable EC Diffie Hellman cipher suite

Re: [SR-Users] * GMX Spamverdacht * Re: Cannot disable EC Diffie Hellman cipher suite