[SR-Users] TLS cipher suites

Steve smh2017 at zoho.com
Tue Jan 2 17:15:15 CET 2018


I have a question about deploying TLSv1.2 with Kamailio 4.3.4-1 on a
Lubuntu 16.4.3 desktop environment. I changed the Kamailio default
/tls.cfg/ file under the section [server:default] to “method=TLSv1.2”
and am using OpenSSL 1.0.2g  from the Lubuntu repository. All the
programs were loaded through the Synaptic Package Manager. 

My question is whether this version of Kamailio supports the cipher
suite ECDHE-RSA-AES256-GCM-SHA384. My version of OpenSSL lists it as an
option, but the highest strength cipher that the Kamailio 4.3.4 server
seems to accept is RSA-AES256-GCM-SHA384. My (limited) understanding is
that ECDHE is a better method of key exchange than RSA because it is
ephemeral with forward secrecy.

I used Wireshark to look at the connection protocols for sip clients
Jitsi and Blink with the Kamailio server. Jitsi offers only four cipher
choices of what I understand are considered compromised security TLS
protocols and it connected with the RSA-AES128-CBC-SHA cipher. Blink
offers 65 cipher choices, starting with ECDHE-RSA-AES256-GCM-SHA384. My
Kamailio server accepted the 29^th offering on the list,
RSA-AES256-GCM-SHA384. Unless I am missing something, Kamailio 4.3.4
doesn’t seem to support ephemeral DH key exchanges. Is there some other
TLS configuration file or setting for Kamailio that can be changed to
allow this?



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180102/1cc848af/attachment.html>


More information about the sr-users mailing list