Hello,
How can I disable:
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128
What should I put in cypher_list in order to disable the above?
I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1
Thanks, Arik Halperin
Hi, for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_lis... . For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method .
Cheers,
Federico
On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin arik.halperin@s3code.com wrote:
Hello,
How can I disable:
TLS_RSA_WITH_RC4_128_SHA (0x5) *INSECURE*128
TLS_RSA_WITH_RC4_128_MD5 (0x4) *INSECURE*128
What should I put in cypher_list in order to disable the above?
I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1
Thanks, Arik Halperin _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Federico, Thank you
I added these lines to my config:
#!ifdef WITH_TLS # ----- tls params ----- modparam("tls","config","/usr/local/etc/kamailio/tls.cfg") modparam("tls", "cipher_list", "HIGH") modparam("tls", "tls_method", "TLSv1.2+") #!endif
But it still doesn’t work.
I ran this test, but it still says:
Cipher Suites # TLS 1.0 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_SEED_CBC_SHA (0x96) WEAK 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128 TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
I don’t know how to get rid of the insecure ones.
Best Regards, Arik
On 10 Dec 2019, at 9:03, Federico Cabiddu federico.cabiddu@gmail.com wrote:
Hi, for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_lis... http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list. For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method.
Cheers,
Federico
On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin@s3code.com mailto:arik.halperin@s3code.com> wrote: Hello,
How can I disable:
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128
What should I put in cypher_list in order to disable the above?
I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1
Thanks, Arik Halperin _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Arik, I think that the problem is that you are using a configuration file for tls. In this case you have to specify there the parameters like ciphers, because the module's ones will be ignored: http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config.
Cheers,
Federico
On Sun, Dec 22, 2019 at 6:16 PM Arik Halperin arik.halperin@s3code.com wrote:
Federico, Thank you
I added these lines to my config:
#!ifdef WITH_TLS # ----- tls params ----- modparam("tls","config","/usr/local/etc/kamailio/tls.cfg") modparam("tls", "cipher_list", "HIGH") modparam("tls", "tls_method", "TLSv1.2+") #!endif
But it still doesn’t work.
I ran this test, but it still says:
Cipher Suites
# TLS 1.0 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA (0x35) *WEAK* 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) *WEAK* 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) *WEAK* 128 TLS_RSA_WITH_SEED_CBC_SHA (0x96) *WEAK* 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) *WEAK* 128 TLS_RSA_WITH_RC4_128_SHA (0x5) *INSECURE* 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) *INSECURE* 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) *WEAK*
I don’t know how to get rid of the insecure ones.
Best Regards, Arik
On 10 Dec 2019, at 9:03, Federico Cabiddu federico.cabiddu@gmail.com wrote:
Hi, for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_lis... . For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method .
Cheers,
Federico
On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin arik.halperin@s3code.com wrote:
Hello,
How can I disable:
TLS_RSA_WITH_RC4_128_SHA (0x5) *INSECURE*128
TLS_RSA_WITH_RC4_128_MD5 (0x4) *INSECURE*128
What should I put in cypher_list in order to disable the above?
I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1
Thanks, Arik Halperin _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Federico, thanks
Did the changes in the file. It’s fixed.
Arik
On 22 Dec 2019, at 19:28, Federico Cabiddu federico.cabiddu@gmail.com wrote:
Hi Arik, I think that the problem is that you are using a configuration file for tls. In this case you have to specify there the parameters like ciphers, because the module's ones will be ignored: http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config.
Cheers,
Federico
On Sun, Dec 22, 2019 at 6:16 PM Arik Halperin <arik.halperin@s3code.com mailto:arik.halperin@s3code.com> wrote: Federico, Thank you
I added these lines to my config:
#!ifdef WITH_TLS # ----- tls params ----- modparam("tls","config","/usr/local/etc/kamailio/tls.cfg") modparam("tls", "cipher_list", "HIGH") modparam("tls", "tls_method", "TLSv1.2+") #!endif
But it still doesn’t work.
I ran this test, but it still says:
Cipher Suites # TLS 1.0 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_SEED_CBC_SHA (0x96) WEAK 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128 TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
I don’t know how to get rid of the insecure ones.
Best Regards, Arik
On 10 Dec 2019, at 9:03, Federico Cabiddu <federico.cabiddu@gmail.com mailto:federico.cabiddu@gmail.com> wrote:
Hi, for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_lis... http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list. For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method.
Cheers,
Federico
On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin@s3code.com mailto:arik.halperin@s3code.com> wrote: Hello,
How can I disable:
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128
What should I put in cypher_list in order to disable the above?
I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1
Thanks, Arik Halperin _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
small addition - it is not possible to only specify TLS v1.3 at the moment (but work is planned here) - use TLSv1.2+ to get all version equal or larger TLS 1.2.
Cheers,
Henning -- Henning Westerholt - https://skalatan.de/blog/ Kamailio services - https://gilawa.comhttps://gilawa.com/
From: sr-users sr-users-bounces@lists.kamailio.org On Behalf Of Arik Halperin Sent: Tuesday, December 10, 2019 7:29 AM To: sr-users@lists.kamailio.org Cc: Tsur Arieli tsur@telemessage.com; Yossi Shteingart yossi@telemessage.com Subject: [SR-Users] Disabling weak SSL Cypher suites
Hello,
How can I disable:
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128
What should I put in cypher_list in order to disable the above?
I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1
Thanks, Arik Halperin
-
Arik Halperin -
Federico Cabiddu -
Henning Westerholt