[SR-Users] Disabling weak SSL Cypher suites
Arik Halperin
arik.halperin at s3code.com
Sun Dec 22 20:56:11 CET 2019
Federico, thanks
Did the changes in the file. It’s fixed.
Arik
> On 22 Dec 2019, at 19:28, Federico Cabiddu <federico.cabiddu at gmail.com> wrote:
>
> Hi Arik,
> I think that the problem is that you are using a configuration file for tls.
> In this case you have to specify there the parameters like ciphers, because the module's ones will be ignored: http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config <http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config>.
>
> Cheers,
>
> Federico
>
> On Sun, Dec 22, 2019 at 6:16 PM Arik Halperin <arik.halperin at s3code.com <mailto:arik.halperin at s3code.com>> wrote:
> Federico, Thank you
>
> I added these lines to my config:
>
> #!ifdef WITH_TLS
> # ----- tls params -----
> modparam("tls","config","/usr/local/etc/kamailio/tls.cfg")
> modparam("tls", "cipher_list", "HIGH")
> modparam("tls", "tls_method", "TLSv1.2+")
> #!endif
>
> But it still doesn’t work.
>
> I ran this test, but it still says:
>
> Cipher Suites
> # TLS 1.0 (suites in server-preferred order)
> TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
> TLS_RSA_WITH_SEED_CBC_SHA (0x96) WEAK 128
> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128
> TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
> TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
>
>
> I don’t know how to get rid of the insecure ones.
>
> Best Regards,
> Arik
>
>
>> On 10 Dec 2019, at 9:03, Federico Cabiddu <federico.cabiddu at gmail.com <mailto:federico.cabiddu at gmail.com>> wrote:
>>
>> Hi,
>> for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list>.
>> For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method>.
>>
>> Cheers,
>>
>> Federico
>>
>> On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin at s3code.com <mailto:arik.halperin at s3code.com>> wrote:
>> Hello,
>>
>> How can I disable:
>>
>>
>> TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128
>>
>> TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128
>>
>> What should I put in cypher_list in order to disable the above?
>>
>> I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1
>>
>> Thanks,
>> Arik Halperin
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191222/fc8ee150/attachment.html>
More information about the sr-users
mailing list