[SR-Users] Cannot disable EC Diffie Hellman cipher suite

Daniel-Constantin Mierla miconda at gmail.com
Fri Nov 24 15:45:00 CET 2017 

Hello,


On 23.11.17 22:42, Ilyas Keskin wrote:
>
> Hi there,
>
> I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a university
> project regarding WebRTC comunication. While kamailio handles the
> signaling path I use the SIP.js demo phone js application (hosted on
> the same machine as kamaillio) for actual WebRTC stuff.
> For a deeper understanding and documetation purposes I have been
> trying to sniff the traffic with wireshark but failed due to the fact
> that kamailio uses Elliptic Curve Diffie Hellmann cipher suite (see
> wireshark snippet below) which is not decryptable.
>
> Secure Sockets Layer
>     TLSv1.2 Record Layer: Handshake Protocol: Server Hello
>         Content Type: Handshake (22)
>         Version: TLS 1.2 (0x0303)
>         Length: 89
>         Handshake Protocol: Server Hello
>             Handshake Type: Server Hello (2)
>             Length: 85
>             Version: TLS 1.2 (0x0303)
>             Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
>             Session ID Length: 32
>             Session ID:
> b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
>             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>             Compression Method: null (0)
>             Extensions Length: 13
>             Extension: renegotiation_info (len=1)
>             Extension: ec_point_formats (len=4)
>
> I already tried importing captured SSLKEYLOG pre master secret from
> chrome and private key file issued by letsencrypt without success.
>
> On top of that I set this line
>
>     SSLCipherSuite
> !DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
>
> in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh
> (which worked see below).
>
> [admin at kamailio-sip ~]$ openssl ciphers
> SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
> [admin at kamailio-sip ~]$
>
>
> Setting
>
>     modparam("tls", "cipher_list", "AESCCM")
>
> (or different ciphers) in /etc/kamailio/kamailio.cfg seems to have no
> effect on the actual negoiated cipher suite.
>
> Am I missing something? Any help or pointers into the right direction
> will be much appreciated.
>
>
are you also using tls.cfg? If yes, there is an attribute for chiper
list in it as well, try and see if works with it.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171124/bb328c69/attachment.html>

More information about the sr-users mailing list