[SR-Users] Disabling weak SSL Cypher suites
Federico Cabiddu
federico.cabiddu at gmail.com
Sun Dec 22 18:28:35 CET 2019
Hi Arik,
I think that the problem is that you are using a configuration file for tls.
In this case you have to specify there the parameters like ciphers, because
the module's ones will be ignored:
http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config.
Cheers,
Federico
On Sun, Dec 22, 2019 at 6:16 PM Arik Halperin <arik.halperin at s3code.com>
wrote:
> Federico, Thank you
>
> I added these lines to my config:
>
> #!ifdef WITH_TLS
> # ----- tls params -----
> modparam("tls","config","/usr/local/etc/kamailio/tls.cfg")
> modparam("tls", "cipher_list", "HIGH")
> modparam("tls", "tls_method", "TLSv1.2+")
> #!endif
>
> But it still doesn’t work.
>
> I ran this test, but it still says:
>
> Cipher Suites
>
> # TLS 1.0 (suites in server-preferred order)
> TLS_RSA_WITH_AES_256_CBC_SHA (0x35) *WEAK* 256
> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) *WEAK* 256
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) *WEAK* 128
> TLS_RSA_WITH_SEED_CBC_SHA (0x96) *WEAK* 128
> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) *WEAK* 128
> TLS_RSA_WITH_RC4_128_SHA (0x5) *INSECURE* 128
> TLS_RSA_WITH_RC4_128_MD5 (0x4) *INSECURE* 128
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) *WEAK*
>
>
> I don’t know how to get rid of the insecure ones.
>
> Best Regards,
> Arik
>
>
> On 10 Dec 2019, at 9:03, Federico Cabiddu <federico.cabiddu at gmail.com>
> wrote:
>
> Hi,
> for enabling a specific set of ciphers have a look at tls module's
> cipher_list param:
> http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list
> .
> For supporting specific versions of TLS look at tls_method param:
> http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method
> .
>
> Cheers,
>
> Federico
>
> On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin at s3code.com>
> wrote:
>
>> Hello,
>>
>> How can I disable:
>>
>>
>> TLS_RSA_WITH_RC4_128_SHA (0x5) *INSECURE*128
>>
>> TLS_RSA_WITH_RC4_128_MD5 (0x4) *INSECURE*128
>>
>> What should I put in cypher_list in order to disable the above?
>>
>> I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0
>> and 1.1
>>
>> Thanks,
>> Arik Halperin
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191222/95de153d/attachment.html>
More information about the sr-users
mailing list