[SR-Users] Support of ECDHE cipher suites for tls connection in kamailio

Илья Болмосов bolmosov.ilia at gmail.com
Tue Aug 2 15:14:13 CEST 2022


Hello.
I have a question about support of ECDHE cipher suites in kamailio-5.6.0 in
centos7 with installed OpenSSL 1.0.2k-fips. We received kamailio with its
modules from https://rpm.kamailio.org/.
Our client can use only cipher suites:

TLS_AES_256_GCM_SHA384 (0x1302)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_128_GCM_SHA256 (0x1301)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

And some of them are supported by our openssl:

$ openssl cipher -V
...
0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)
 Mac=SHA1
0xC0,0x0A - ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)
 Mac=SHA1
...
0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)
 Mac=SHA1
0xC0,0x09 - ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)
 Mac=SHA1
...

But when trying to connect with, for example, cipher suite
ECDHE-RSA-AES256-SHA (the same with other 3 cipher suites), we receive,
that it is not allowed:

$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port}
-cipher ECDHE-RSA-AES256-SHA
...
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
...

To exclude the influence of other factors, I installed nginx on the same
machine with usage of the same tls certificate and it can use cipher suites
ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA.

$ openssl s_client -connect ${nginx-serper-ip}:${nginx-server-port} -cipher
ECDHE-RSA-AES256-SHA
...
SSL handshake has read 3271 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
...

So, the reason of failed handshake is, probably, kamailio.
Tried to add cipher_list modparam:

modparam("tls", "cipher_list", "ECDHE-RSA-AES256-SHA")

but result is the same:

$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port}
-cipher ECDHE-RSA-AES256-SHA
...
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
...

Can you, please, help me to add support of cipher suites
ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA to kamailio?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220802/94ffc425/attachment.htm>


More information about the sr-users mailing list