good catch. thanks
for the record
ECC
[root@sbc live]# openssl x509 -text -noout -in /etc/letsencrypt/live/<my domain>/fullchain.pem |grep -i "Public Key Algorithm" Public Key Algorithm: id-ecPublicKey
certbot certonly --key-type rsa --cert-name <my domain> --manual --preferred-challenges dns
RSA
[root@sbc live]# openssl x509 -text -noout -in /etc/letsencrypt/live/<my domain>/fullchain.pem |grep -i "Public Key Algorithm" Public Key Algorithm: rsaEncryption
but there was another problem
modparam("tls", "cipher_list", "RSA") from https://kamailio.org/docs/modules/5.7.x/modules/tls.html#tls.p.cipher_list
does nothing
0(2294) INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'
valid option is in tls.cfg
cipher_list = RSA
0(2328) INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='RSA'
ServerHello Version 3.3 session_id[0]= cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384
Marek Cervenka
Dne 2024-01-10 v 13:06 Lukas Tribus napsal(a):
On Wednesday 10 January 2024, marek via sr-users sr-users@lists.kamailio.org wrote:
hi, i'm trying force cipher list through options like modparam("tls", "cipher_list", "TLS_RSA_WITH_AES_256_CBC_SHA256") modparam("tls", "cipher_list", "RSA")You are trying a RSA cipher.
... but ssldump -i enp2s0 port 5061 shows every time ServerHello Version 3.3In TLS 1.2
session_id[0]= cipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384But the negotiated cipher suggest that you have an ECC certificate.
In TLSv1.2 and older, ciphers available are dependent on the certificate type (RSA vs ECC).
In TLSv1.3 its all different again and the certificate doesn't matter for cipher negotiation.
Get a RSA (2048bit) certificate instead of a ECC one from Let's Encrypt, then you should be able to use those ciphers.
Lukas
-
marek