[SR-Users] Cannot disable EC Diffie Hellman cipher suite

Hi there,

I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a university project regarding WebRTC comunication. While kamailio handles the signaling path I use the SIP.js demo phone js application (hosted on the same machine as kamaillio) for actual WebRTC stuff. For a deeper understanding and documetation purposes I have been trying to sniff the traffic with wireshark but failed due to the fact that kamailio uses Elliptic Curve Diffie Hellmann cipher suite (see wireshark snippet below) which is not decryptable.

Secure Sockets Layer     TLSv1.2 Record Layer: Handshake Protocol: Server Hello         Content Type: Handshake (22)         Version: TLS 1.2 (0x0303)         Length: 89         Handshake Protocol: Server Hello             Handshake Type: Server Hello (2)             Length: 85             Version: TLS 1.2 (0x0303)             Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...             Session ID Length: 32             Session ID: b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)             Compression Method: null (0)             Extensions Length: 13             Extension: renegotiation_info (len=1)             Extension: ec_point_formats (len=4)

I already tried importing captured SSLKEYLOG pre master secret from chrome and private key file issued by letsencrypt without success.

On top of that I set this line

SSLCipherSuite !DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh (which worked see below).

[admin@kamailio-sip ~]$ openssl ciphers SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA [admin@kamailio-sip ~]$

Setting

modparam("tls", "cipher_list", "AESCCM")

(or different ciphers) in /etc/kamailio/kamailio.cfg seems to have no effect on the actual negoiated cipher suite.

Am I missing something? Any help or pointers into the right direction will be much appreciated.

Best regards,

Ilyas Keskin