[SR-Users] TLS cipher suites
Carsten Bock
carsten at ng-voice.com
Wed Jan 3 11:25:53 CET 2018
Hi,
it also depends on the version of OpenSSL, Kamailio was compiled against....
I can confirm, that Kamailio supports Elliptic Curve Diffie Hellmann
(ECDHE), as I added support for it... ;-)
Thanks,
Carsten
2018-01-03 9:46 GMT+01:00 Karsten Horsmann <khorsmann at gmail.com>:
> Hello,
>
>
> There is an ssldump example on kamailio.org wiki to see the cipher suits.
>
> AFAIK it depends on your certificate/ca and how you create it.
>
> I see this with an test self-signed certificate that I did with one cipher
> only.
>
> And of course you client need support for it.
>
> Am 02.01.2018 5:16 nachm. schrieb "Steve" <smh2017 at zoho.com>:
>
>> I have a question about deploying TLSv1.2 with Kamailio 4.3.4-1 on a
>> Lubuntu 16.4.3 desktop environment. I changed the Kamailio default
>> *tls.cfg* file under the section [server:default] to “method=TLSv1.2”
>> and am using OpenSSL 1.0.2g from the Lubuntu repository. All the
>> programs were loaded through the Synaptic Package Manager.
>>
>> My question is whether this version of Kamailio supports the cipher suite
>> ECDHE-RSA-AES256-GCM-SHA384. My version of OpenSSL lists it as an option,
>> but the highest strength cipher that the Kamailio 4.3.4 server seems to
>> accept is RSA-AES256-GCM-SHA384. My (limited) understanding is that ECDHE
>> is a better method of key exchange than RSA because it is ephemeral with
>> forward secrecy.
>>
>> I used Wireshark to look at the connection protocols for sip clients
>> Jitsi and Blink with the Kamailio server. Jitsi offers only four cipher
>> choices of what I understand are considered compromised security TLS
>> protocols and it connected with the RSA-AES128-CBC-SHA cipher. Blink offers
>> 65 cipher choices, starting with ECDHE-RSA-AES256-GCM-SHA384. My Kamailio
>> server accepted the 29th offering on the list, RSA-AES256-GCM-SHA384.
>> Unless I am missing something, Kamailio 4.3.4 doesn’t seem to support
>> ephemeral DH key exchanges. Is there some other TLS configuration file or
>> setting for Kamailio that can be changed to allow this?
>>
>>
>>
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> Virus-free.
>> www.avast.com
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
>> <#m_-8452394494004720091_m_5244919164888980266_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
--
Carsten Bock
CEO (Geschäftsführer)
ng-voice GmbH
Millerntorplatz 1
20359 Hamburg / Germany
http://www.ng-voice.com
mailto:carsten at ng-voice.com
Office +49 40 5247593-40
Fax +49 40 5247593-99
Sitz der Gesellschaft: Hamburg
Registergericht: Amtsgericht Hamburg, HRB 120189
Geschäftsführer: Carsten Bock
Ust-ID: DE279344284
Hier finden Sie unsere handelsrechtlichen Pflichtangaben:
http://www.ng-voice.com/imprint/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180103/9998a8c9/attachment.html>
More information about the sr-users
mailing list