[SR-Users] TLS and SIP

Frank Carmickle frank at carmickle.com
Fri May 23 19:18:57 CEST 2014

On May 23, 2014, at 12:43 PM, James Cloos <cloos at jhcloos.com> wrote:

>>>>>> "FC" == Frank Carmickle <frank at carmickle.com> writes:
> JC>> If you record the full packet trace, wireshark can use your privkey.pem
> JC>> to decode the tls handshake, recover the session key, and use that to
> JC>> decode the payload packets.
> FC> This is true if you are not using an ephemeral Diffie Hellman cypher suite.
> Good point.  A quick test shows that contacting asterisk-11 over tls/tcp
> negotiates rsa key exchange; kamailio does better and agrees to ECDHE-RSA.
> If the trace is of kama talking to asterisk ephemeral is not likely.
> Asterisk-12 may be better; I cannot test right now.  Nor can I test
> freeswitch.
Freeswitch does support most new features of openssl 1.0.1 branch.  I believe it defaults to tls1.1 currently but I believe the goal is to only enable tls1.2, with ECDHE+AES128 by default.  You can certainly ask it to do what ever openssl supports, except that right now ECDHE is hardcoded to p256.


More information about the sr-users mailing list