[SR-Users] Disabling weak SSL Cypher suites

Arik Halperin arik.halperin at s3code.com
Sun Dec 22 18:14:37 CET 2019 

Federico, Thank you

I added these lines to my config:

#!ifdef WITH_TLS
# ----- tls params -----
modparam("tls","config","/usr/local/etc/kamailio/tls.cfg")
modparam("tls", "cipher_list", "HIGH")
modparam("tls", "tls_method", "TLSv1.2+")
#!endif

But it still doesn’t work.  

I ran this test, but it still says:

Cipher Suites
# TLS 1.0 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK	256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK	256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK	128
TLS_RSA_WITH_SEED_CBC_SHA (0x96)   WEAK	128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK	128
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE	128
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE	128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK


I don’t know how to get rid of the insecure ones. 

Best Regards,
Arik


> On 10 Dec 2019, at 9:03, Federico Cabiddu <federico.cabiddu at gmail.com> wrote:
> 
> Hi,
> for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list>.
> For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method>.
> 
> Cheers,
> 
> Federico
> 
> On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin at s3code.com <mailto:arik.halperin at s3code.com>> wrote:
> Hello,
> 
> How can I disable:
> 
> 
> TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE128
> 
> TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE128
> 
> What should I put in cypher_list in order to disable the above?
> 
> I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1
> 
> Thanks,
> Arik Halperin
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191222/f1325818/attachment.html>

More information about the sr-users mailing list