10 Jan
2024
10 Jan
'24
6:56 p.m.
good catch. thanks
for the record
ECC
[root@sbc live]# openssl x509 -text -noout -in /etc/letsencrypt/live/<my
domain>/fullchain.pem |grep -i "Public Key Algorithm"
Public Key Algorithm: id-ecPublicKey
certbot certonly --key-type rsa --cert-name <my domain> --manual
--preferred-challenges dns
RSA
[root@sbc live]# openssl x509 -text -noout -in /etc/letsencrypt/live/<my
domain>/fullchain.pem |grep -i "Public Key Algorithm"
Public Key Algorithm: rsaEncryption
but there was another problem
modparam("tls", "cipher_list", "RSA") from
https://kamailio.org/docs/modules/5.7.x/modules/tls.html#tls.p.cipher_list
does nothing
0(2294) INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing():
TLSs<default>: cipher_list='(null)'
valid option is in tls.cfg
cipher_list = RSA
0(2328) INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing():
TLSs<default>: cipher_list='RSA'
ServerHello
Version 3.3
session_id[0]=
cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384
Marek Cervenka
Dne 2024-01-10 v 13:06 Lukas Tribus napsal(a):
On Wednesday 10 January 2024, marek via sr-users
<sr-users(a)lists.kamailio.org> wrote:
hi,
i'm trying force cipher list through options like
modparam("tls", "cipher_list",
"TLS_RSA_WITH_AES_256_CBC_SHA256")
modparam("tls", "cipher_list", "RSA")
You are trying a RSA cipher.
...
but
ssldump -i enp2s0 port 5061 shows every time
ServerHello
Version 3.3
In TLS 1.2
session_id[0]=
cipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
But the negotiated cipher suggest that you have an ECC certificate.
In TLSv1.2 and older, ciphers available are dependent on the
certificate type (RSA vs ECC).
In TLSv1.3 its all different again and the certificate doesn't matter
for cipher negotiation.
Get a RSA (2048bit) certificate instead of a ECC one from Let's
Encrypt, then you should be able to use those ciphers.
Lukas