Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite
Just a guess but maybe later entries [like +HIGH:+MEDIUM:+LOW] put it back.
Try switching the order so that !ECDHE and the others you're trying to exclude
come after.
Sent from Samsung Mobile
Original message
From: Ilyas Keskin <ilyas...@gmx.de>
Date: 11/24/2017 10:19 AM (GMT-08:00)
To: mico...@gmail.com,"Kamailio (SER) - Users Mailing List"
<sr-users@lists.kamailio.org>
Subject: Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite
Hi Daniel,
yes I am using the tls.cfg file. I tried your suggestion to add the cipher
suite string (notice the !EDCHE which I also added to the httpd ssl.conf) but
nothing changed.
[server:default]
method = TLSv1
cipher_list =
!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem
certificate = /etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem
#ca_list = ./modules/tls/cacert.pem
#crl = ./modules/tls/crl.pem
Also here is a log snippet from tls module section of kamailio initialization.
Notice first two lines. Also it seems to me the module actually ignores the
local openssl installation and uses its own which has been compiled with the
module itself (?).
Other than that it seems to be accepting the cipher_list value just fine:
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_mod.c:355]: mod_init(): With ECDH-Support!
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_mod.c:358]: mod_init(): With Diffie Hellman
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_init.c:587]: init_tls_h(): tls: _init_tls_h: compiled with openssl
version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos support: on,
compression: on
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_init.c:595]: init_tls_h(): tls: init_tls_h: installed openssl library
version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos support: on,
zlib compression:
compiler: gcc -I. -I..
-I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall
-Wp,-D_
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tls
[tls_init.c:649]: init_tls_h(): tls: openssl bug #1491 (crash/mem leaks on low
memory) workaround enabled (on low memory tls operations will fail
preemptively) with free
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): tls.low_mem_threshold1
has been changed to 7864320
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): tls.low_mem_threshold2
has been changed to 3932160
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]:
fixup_routes(): WARNING: t_on_branch("MANAGE_BRANCH"): empty/non existing route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]:
fixup_routes(): WARNING: t_on_reply("MANAGE_REPLY"): empty/non existing route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]:
fixup_routes(): WARNING: t_on_failure("MANAGE_FAILURE"): empty/non existing
route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
[udp_server.c:175]: probe_max_receive_buffer(): SO_RCVBUF is initially 212992
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
[udp_server.c:225]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:275]: fill_missing(): TLSs: tls_method=12
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:287]: fill_missing(): TLSs:
certificate='/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:294]: fill_missing(): TLSs: ca_list='(null)'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:301]: fill_missing(): TLSs: crl='(null)'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:305]: fill_missing(): TLSs: require_certificate=0
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:312]: fill_missing(): TLSs:
cipher_list='!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:319]: fill_missing(): TLSs:
private_key='/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:323]: fill_missing(): TLSs: verify_certificate=0
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[28
Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite
Hi Daniel,
yes I am using the tls.cfg file. I tried your suggestion to add the
cipher suite string (notice the !EDCHE which I also added to the httpd
ssl.conf) but nothing changed.
[server:default]
method = TLSv1
cipher_list =
!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem
certificate = /etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem
#ca_list = ./modules/tls/cacert.pem
#crl = ./modules/tls/crl.pem
Also here is a log snippet from tls module section of kamailio
initialization. Notice first two lines. Also it seems to me the module
actually ignores the local openssl installation and uses its own which
has been compiled with the module itself (?).
Other than that it seems to be accepting the cipher_list value just fine:
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_mod.c:355]: mod_init(): With ECDH-Support!
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_mod.c:358]: mod_init(): With Diffie Hellman
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_init.c:587]: init_tls_h(): tls: _init_tls_h: compiled with
openssl version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f),
kerberos support: on, compression: on
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_init.c:595]: init_tls_h(): tls: init_tls_h: installed openssl
library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos
support: on, zlib compression:
compiler: gcc
-I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall
-O2 -g -pipe -Wall -Wp,-D_
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tls
[tls_init.c:649]: init_tls_h(): tls: openssl bug #1491 (crash/mem leaks
on low memory) workaround enabled (on low memory tls operations will
fail preemptively) with free
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
tls.low_mem_threshold1 has been changed to 7864320
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now():
tls.low_mem_threshold2 has been changed to 3932160
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
[tm.c:594]: fixup_routes(): WARNING: t_on_branch("MANAGE_BRANCH"):
empty/non existing route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
[tm.c:594]: fixup_routes(): WARNING: t_on_reply("MANAGE_REPLY"):
empty/non existing route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm
[tm.c:594]: fixup_routes(): WARNING: t_on_failure("MANAGE_FAILURE"):
empty/non existing route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
[udp_server.c:175]: probe_max_receive_buffer(): SO_RCVBUF is initially
212992
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
[udp_server.c:225]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:275]: fill_missing(): TLSs: tls_method=12
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:287]: fill_missing(): TLSs:
certificate='/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:294]: fill_missing(): TLSs: ca_list='(null)'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:301]: fill_missing(): TLSs: crl='(null)'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:305]: fill_missing(): TLSs: require_certificate=0
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:312]: fill_missing(): TLSs:
cipher_list='!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:319]: fill_missing(): TLSs:
private_key='/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:323]: fill_missing(): TLSs: verify_certificate=0
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:326]: fill_missing(): TLSs: verify_depth=9
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:670]: set_verification(): TLSs: No client
certificate required and no checks performed
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:275]: fill_missing(): TLSc: tls_method=12
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls
[tls_domain.c:287]: fill_missing(): TLSc: certificate='(null)'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:
Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite
Hello,
On 23.11.17 22:42, Ilyas Keskin wrote:
>
> Hi there,
>
> I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a university
> project regarding WebRTC comunication. While kamailio handles the
> signaling path I use the SIP.js demo phone js application (hosted on
> the same machine as kamaillio) for actual WebRTC stuff.
> For a deeper understanding and documetation purposes I have been
> trying to sniff the traffic with wireshark but failed due to the fact
> that kamailio uses Elliptic Curve Diffie Hellmann cipher suite (see
> wireshark snippet below) which is not decryptable.
>
> Secure Sockets Layer
> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
> Content Type: Handshake (22)
> Version: TLS 1.2 (0x0303)
> Length: 89
> Handshake Protocol: Server Hello
> Handshake Type: Server Hello (2)
> Length: 85
> Version: TLS 1.2 (0x0303)
> Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
> Session ID Length: 32
> Session ID:
> b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> Compression Method: null (0)
> Extensions Length: 13
> Extension: renegotiation_info (len=1)
> Extension: ec_point_formats (len=4)
>
> I already tried importing captured SSLKEYLOG pre master secret from
> chrome and private key file issued by letsencrypt without success.
>
> On top of that I set this line
>
> SSLCipherSuite
> !DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
>
> in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh
> (which worked see below).
>
> [admin@kamailio-sip ~]$ openssl ciphers
> SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
> [admin@kamailio-sip ~]$
>
>
> Setting
>
> modparam("tls", "cipher_list", "AESCCM")
>
> (or different ciphers) in /etc/kamailio/kamailio.cfg seems to have no
> effect on the actual negoiated cipher suite.
>
> Am I missing something? Any help or pointers into the right direction
> will be much appreciated.
>
>
are you also using tls.cfg? If yes, there is an attribute for chiper
list in it as well, try and see if works with it.
Cheers,
Daniel
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] Cannot disable EC Diffie Hellman cipher suite
Hi there,
I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a university
project regarding WebRTC comunication. While kamailio handles the
signaling path I use the SIP.js demo phone js application (hosted on the
same machine as kamaillio) for actual WebRTC stuff.
For a deeper understanding and documetation purposes I have been trying
to sniff the traffic with wireshark but failed due to the fact that
kamailio uses Elliptic Curve Diffie Hellmann cipher suite (see wireshark
snippet below) which is not decryptable.
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 89
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 85
Version: TLS 1.2 (0x0303)
Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
Session ID Length: 32
Session ID: b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Compression Method: null (0)
Extensions Length: 13
Extension: renegotiation_info (len=1)
Extension: ec_point_formats (len=4)
I already tried importing captured SSLKEYLOG pre master secret from
chrome and private key file issued by letsencrypt without success.
On top of that I set this line
SSLCipherSuite
!DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh
(which worked see below).
[admin@kamailio-sip ~]$ openssl ciphers
SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
[admin@kamailio-sip ~]$
Setting
modparam("tls", "cipher_list", "AESCCM")
(or different ciphers) in /etc/kamailio/kamailio.cfg seems to have no
effect on the actual negoiated cipher suite.
Am I missing something? Any help or pointers into the right direction
will be much appreciated.
Best regards,
Ilyas Keskin
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
