[SR-Users] TLSv1.2 and weak ciphers
Attila Megyeri
amegyeri at minerva-soft.com
Mon May 4 14:18:17 CEST 2015
Hi Daniel, Kamailio folks,
We are trying to make our server more secure, but we have some issues.
Right now, we have set the TLS method to
method = TLSv1+
and
cipher_list = HIGH
The problem is, that there are still cipher suites offered which are not secure. E.g. If I check with the SSLLabs analizer, I see:
This server supports anonymous (insecure) suites (see below for details). Grade set to F.
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS
256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS
256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS
256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
256
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE
256
TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0xa7) INSECURE
256
TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x6d) INSECURE
256
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE
256
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89) INSECURE
256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS
112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
112
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE
112
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b) INSECURE
112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
112
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS
128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS
128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS
128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 3072 bits (p: 384, g: 1, Ys: 384) FS
128
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE
128
TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0xa6) INSECURE
128
TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x6c) INSECURE
128
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34) INSECURE
128
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46) INSECURE
128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)
128
How can we get rid of these _anon_ cipher suites?
Thanks
Attila
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150504/b4a2ebe2/attachment.html>
More information about the sr-users
mailing list