[SR-Users] Cannot disable EC Diffie Hellman cipher suite

Ilyas Keskin ilyask92 at gmx.de
Thu Nov 23 22:42:34 CET 2017 

Hi there,

I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a university 
project regarding WebRTC comunication. While kamailio handles the 
signaling path I use the SIP.js demo phone js application (hosted on the 
same machine as kamaillio) for actual WebRTC stuff.
For a deeper understanding and documetation purposes I have been trying 
to sniff the traffic with wireshark but failed due to the fact that 
kamailio uses Elliptic Curve Diffie Hellmann cipher suite (see wireshark 
snippet below) which is not decryptable.

Secure Sockets Layer
     TLSv1.2 Record Layer: Handshake Protocol: Server Hello
         Content Type: Handshake (22)
         Version: TLS 1.2 (0x0303)
         Length: 89
         Handshake Protocol: Server Hello
             Handshake Type: Server Hello (2)
             Length: 85
             Version: TLS 1.2 (0x0303)
             Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
             Session ID Length: 32
             Session ID: b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
             Compression Method: null (0)
             Extensions Length: 13
             Extension: renegotiation_info (len=1)
             Extension: ec_point_formats (len=4)

I already tried importing captured SSLKEYLOG pre master secret from 
chrome and private key file issued by letsencrypt without success.

On top of that I set this line

     SSLCipherSuite 
!DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh 
(which worked see below).

[admin at kamailio-sip ~]$ openssl ciphers
SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
[admin at kamailio-sip ~]$


Setting

     modparam("tls", "cipher_list", "AESCCM")

(or different ciphers) in /etc/kamailio/kamailio.cfg seems to have no 
effect on the actual negoiated cipher suite.

Am I missing something? Any help or pointers into the right direction 
will be much appreciated.


Best regards,

Ilyas Keskin




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171123/df2331db/attachment.html>

More information about the sr-users mailing list