[SR-Users] *** GMX Spamverdacht *** Re: Cannot disable EC Diffie Hellman cipher suite
Ilyas Keskin
ilyask92 at gmx.de
Fri Nov 24 21:02:10 CET 2017
Hey otron,
good call, but in the meantime I already tried setting the following
which should exclude all cipher suites and only use AES128 (afaik):
cipher_list = NONE:AES128-SHA256
Best regards,
Ilyas Keskin
Am 24.11.2017 um 20:48 schrieb otron2016 at gmail.com:
> Just a guess but maybe later entries [like +HIGH:+MEDIUM:+LOW] put it
> back. Try switching the order so that !ECDHE and the others you're
> trying to exclude come after.
>
>
>
>
>
>
> Sent from Samsung Mobile
>
>
>
> -------- Original message --------
> From: Ilyas Keskin <ilyask92 at gmx.de>
> Date: 11/24/2017 10:19 AM (GMT-08:00)
> To: miconda at gmail.com,"Kamailio (SER) - Users Mailing List"
> <sr-users at lists.kamailio.org>
> Subject: Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite
>
>
> Hi Daniel,
>
> yes I am using the tls.cfg file. I tried your suggestion to add the
> cipher suite string (notice the !EDCHE which I also added to the httpd
> ssl.conf) but nothing changed.
>
> [server:default]
> method = TLSv1
> cipher_list =
> !DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> verify_certificate = no
> require_certificate = no
> private_key = /etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem
> certificate = /etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem
> #ca_list = ./modules/tls/cacert.pem
> #crl = ./modules/tls/crl.pem
>
> Also here is a log snippet from tls module section of kamailio
> initialization. Notice first two lines. Also it seems to me the module
> actually ignores the local openssl installation and uses its own which
> has been compiled with the module itself (?).
> Other than that it seems to be accepting the cipher_list value just fine:
>
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_mod.c:355]: mod_init(): With ECDH-Support!
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_mod.c:358]: mod_init(): With Diffie Hellman
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_init.c:587]: init_tls_h(): tls: _init_tls_h: compiled with
> openssl version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f),
> kerberos support: on, compression: on
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_init.c:595]: init_tls_h(): tls: init_tls_h: installed openssl
> library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f),
> kerberos support: on, zlib compression:
> compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB
> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT
> -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tls
> [tls_init.c:649]: init_tls_h(): tls: openssl bug #1491 (crash/mem
> leaks on low memory) workaround enabled (on low memory tls operations
> will fail preemptively) with free
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core>
> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
> tls.low_mem_threshold1 has been changed to 7864320
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core>
> [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
> tls.low_mem_threshold2 has been changed to 3932160
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
> [tm.c:594]: fixup_routes(): WARNING: t_on_branch("MANAGE_BRANCH"):
> empty/non existing route
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
> [tm.c:594]: fixup_routes(): WARNING: t_on_reply("MANAGE_REPLY"):
> empty/non existing route
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
> [tm.c:594]: fixup_routes(): WARNING: t_on_failure("MANAGE_FAILURE"):
> empty/non existing route
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core>
> [udp_server.c:175]: probe_max_receive_buffer(): SO_RCVBUF is initially
> 212992
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: <core>
> [udp_server.c:225]: probe_max_receive_buffer(): SO_RCVBUF is finally
> 425984
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:275]: fill_missing(): TLSs<default>: tls_method=12
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:287]: fill_missing(): TLSs<default>:
> certificate='/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:294]: fill_missing(): TLSs<default>: ca_list='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:301]: fill_missing(): TLSs<default>: crl='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:305]: fill_missing(): TLSs<default>: require_certificate=0
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:312]: fill_missing(): TLSs<default>:
> cipher_list='!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:319]: fill_missing(): TLSs<default>:
> private_key='/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:323]: fill_missing(): TLSs<default>: verify_certificate=0
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:326]: fill_missing(): TLSs<default>: verify_depth=9
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:670]: set_verification(): TLSs<default>: No client
> certificate required and no checks performed
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:275]: fill_missing(): TLSc<default>: tls_method=12
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:287]: fill_missing(): TLSc<default>: certificate='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:294]: fill_missing(): TLSc<default>: ca_list='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:301]: fill_missing(): TLSc<default>: crl='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:305]: fill_missing(): TLSc<default>: require_certificate=1
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:312]: fill_missing(): TLSc<default>: cipher_list='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:319]: fill_missing(): TLSc<default>: private_key='(null)'
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:323]: fill_missing(): TLSc<default>: verify_certificate=1
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:326]: fill_missing(): TLSc<default>: verify_depth=9
> Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
> [tls_domain.c:655]: set_verification(): TLSc<default>: Server MUST
> present valid certificate
>
> Would it be possible to compile the tls module with certain openssl
> config switches (i.e. no-ec no-dh)?
> Any other ideas?
>
> Best regards,
> Ilyas Keskin
>
> Am 24.11.2017 um 15:45 schrieb Daniel-Constantin Mierla:
>>
>> Hello,
>>
>>
>> On 23.11.17 22:42, Ilyas Keskin wrote:
>>>
>>> Hi there,
>>>
>>> I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a
>>> university project regarding WebRTC comunication. While kamailio
>>> handles the signaling path I use the SIP.js demo phone js
>>> application (hosted on the same machine as kamaillio) for actual
>>> WebRTC stuff.
>>> For a deeper understanding and documetation purposes I have been
>>> trying to sniff the traffic with wireshark but failed due to the
>>> fact that kamailio uses Elliptic Curve Diffie Hellmann cipher suite
>>> (see wireshark snippet below) which is not decryptable.
>>>
>>> Secure Sockets Layer
>>> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
>>> Content Type: Handshake (22)
>>> Version: TLS 1.2 (0x0303)
>>> Length: 89
>>> Handshake Protocol: Server Hello
>>> Handshake Type: Server Hello (2)
>>> Length: 85
>>> Version: TLS 1.2 (0x0303)
>>> Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
>>> Session ID Length: 32
>>> Session ID:
>>> b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
>>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>>> Compression Method: null (0)
>>> Extensions Length: 13
>>> Extension: renegotiation_info (len=1)
>>> Extension: ec_point_formats (len=4)
>>>
>>> I already tried importing captured SSLKEYLOG pre master secret from
>>> chrome and private key file issued by letsencrypt without success.
>>>
>>> On top of that I set this line
>>>
>>> SSLCipherSuite
>>> !DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>
>>>
>>> in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh
>>> (which worked see below).
>>>
>>> [admin at kamailio-sip ~]$ openssl ciphers
>>> SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
>>> [admin at kamailio-sip ~]$
>>>
>>>
>>> Setting
>>>
>>> modparam("tls", "cipher_list", "AESCCM")
>>>
>>> (or different ciphers) in /etc/kamailio/kamailio.cfg seems to have
>>> no effect on the actual negoiated cipher suite.
>>>
>>> Am I missing something? Any help or pointers into the right
>>> direction will be much appreciated.
>>>
>>>
>> are you also using tls.cfg? If yes, there is an attribute for chiper
>> list in it as well, try and see if works with it.
>>
>> Cheers,
>> Daniel
>> --
>> Daniel-Constantin Mierla
>> www.twitter.com/miconda --www.linkedin.com/in/miconda
>> Kamailio Advanced Training -www.asipto.com
>> Kamailio World Conference - May 14-16, 2018 -www.kamailioworld.com
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171124/9de57aa8/attachment.html>
More information about the sr-users
mailing list