[SR-Users] Support of ECDHE cipher suites for tls connection in kamailio

Henning Westerholt hw at gilawa.com
Wed Aug 3 13:25:57 CEST 2022 

Hello,

any error messages related to tls in the kamailio.log? Do you see in the logs that its actually set the ciphers?

If you are using also a dedicated tls.cfg, you might need to place the cipher_list there.

Cheers,

Henning

From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of ???? ????????
Sent: Tuesday, August 2, 2022 3:14 PM
To: sr-users at lists.kamailio.org
Subject: [SR-Users] Support of ECDHE cipher suites for tls connection in kamailio

Hello.
I have a question about support of ECDHE cipher suites in kamailio-5.6.0 in centos7 with installed OpenSSL 1.0.2k-fips. We received kamailio with its modules from https://rpm.kamailio.org/.
Our client can use only cipher suites:

TLS_AES_256_GCM_SHA384 (0x1302)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_128_GCM_SHA256 (0x1301)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

And some of them are supported by our openssl:

$ openssl cipher -V
...
0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
0xC0,0x0A - ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
...
0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
0xC0,0x09 - ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
...

But when trying to connect with, for example, cipher suite ECDHE-RSA-AES256-SHA (the same with other 3 cipher suites), we receive, that it is not allowed:

$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher ECDHE-RSA-AES256-SHA
...
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
...

To exclude the influence of other factors, I installed nginx on the same machine with usage of the same tls certificate and it can use cipher suites ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA.

$ openssl s_client -connect ${nginx-serper-ip}:${nginx-server-port} -cipher ECDHE-RSA-AES256-SHA
...
SSL handshake has read 3271 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
...

So, the reason of failed handshake is, probably, kamailio.
Tried to add cipher_list modparam:

modparam("tls", "cipher_list", "ECDHE-RSA-AES256-SHA")

but result is the same:

$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher ECDHE-RSA-AES256-SHA
...
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
...

Can you, please, help me to add support of cipher suites ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA to kamailio?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220803/7bc83701/attachment.htm>

More information about the sr-users mailing list