[SR-Users] Re: Kamailio MS Teams TLS Issue
I upgraded OS to the newest version and it seems to be working now. But, just curious why it didn't work in the old version and what was changed recently on the MS Side. Thanks Tim. __ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
[SR-Users] Re: Kamailio MS Teams TLS Issue
Hello, I tried this and it didn't help, unfortunately. Regards, Ilie. __ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
[SR-Users] Re: Kamailio MS Teams TLS Issue
Hi, Have you tried using the tlsa module and linking it to a modern openssl 1 release, had similar problems due to an old version of openssl lurking in the package repositories of the distro I was using Get Outlook for Android<https://aka.ms/AAb9ysg> From: Leonid Fainshtein Sent: Sunday, February 26, 2023 6:51:19 AM To: Kamailio (SER) - Users Mailing List Subject: [SR-Users] Re: Kamailio MS Teams TLS Issue Hi, Try this: modparam("tls", "renegotiation", 1) Best regards, Leonid Fainshtein [https://gmopn.com/api/v1/track/email/view/608535f77fc26b8402a04a3e/1677394235208/pixel.gif] On Fri, Feb 24, 2023 at 12:47 PM mailto:iliusha...@gmail.com>> wrote: In Wireshark I see an Alert Handshake failure, coming from the Kamailio server. Transport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40) My first thought is that something is wrong with the SSL ciphers on the server where Kamailio is running, this is the list I'm getting from the MS in the Client Hello packet: Cipher Suites (8 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) And I see some of them available on the server: [root@srv kamailio]# openssl ciphers -v | grep 'ECDHE-RSA-AES' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 TLS module configuration is very basic: # - tls settings - modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") modparam("tls", "tls_disable_compression", 1) modparam("tls", "connection_timeout", 300) Can be that the openssl version is pretty old maybe? [root@srv kamailio]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 Kamailio Version: version: kamailio 5.6.3 (x86_64/linux) ea782b __ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org<mailto:sr-users-le...@lists.kamailio.org> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: __ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
[SR-Users] Re: Kamailio MS Teams TLS Issue
Hi, Try this: modparam("tls", "renegotiation", 1) Best regards, Leonid Fainshtein On Fri, Feb 24, 2023 at 12:47 PM wrote: > In Wireshark I see an Alert Handshake failure, coming from the Kamailio > server. > > Transport Layer Security > TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake > Failure) > Content Type: Alert (21) > Version: TLS 1.2 (0x0303) > Length: 2 > Alert Message > Level: Fatal (2) > Description: Handshake Failure (40) > > My first thought is that something is wrong with the SSL ciphers on the > server where Kamailio is running, this is the list I'm getting from the MS > in the Client Hello packet: > Cipher Suites (8 suites) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) > > And I see some of them available on the server: > [root@srv kamailio]# openssl ciphers -v | grep 'ECDHE-RSA-AES' > ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) > Mac=AEAD > ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) > Mac=SHA384 > ECDHE-RSA-AES256-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) > Mac=AEAD > ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) > Mac=SHA256 > ECDHE-RSA-AES128-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 > > TLS module configuration is very basic: > # - tls settings - > modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") > modparam("tls", "tls_disable_compression", 1) > modparam("tls", "connection_timeout", 300) > > Can be that the openssl version is pretty old maybe? > [root@srv kamailio]# openssl version > OpenSSL 1.0.2k-fips 26 Jan 2017 > > Kamailio Version: version: kamailio 5.6.3 (x86_64/linux) ea782b > __ > Kamailio - Users Mailing List - Non Commercial Discussions > To unsubscribe send an email to sr-users-le...@lists.kamailio.org > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > __ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
[SR-Users] Re: Kamailio MS Teams TLS Issue
In Wireshark I see an Alert Handshake failure, coming from the Kamailio server. Transport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40) My first thought is that something is wrong with the SSL ciphers on the server where Kamailio is running, this is the list I'm getting from the MS in the Client Hello packet: Cipher Suites (8 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) And I see some of them available on the server: [root@srv kamailio]# openssl ciphers -v | grep 'ECDHE-RSA-AES' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 TLS module configuration is very basic: # - tls settings - modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") modparam("tls", "tls_disable_compression", 1) modparam("tls", "connection_timeout", 300) Can be that the openssl version is pretty old maybe? [root@srv kamailio]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 Kamailio Version: version: kamailio 5.6.3 (x86_64/linux) ea782b __ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
[SR-Users] Re: Kamailio MS Teams TLS Issue
You can capture pcap via TLS port and check using Wireshark. It may provided some info. On Thu, Feb 23, 2023, 8:33 PM wrote: > Hello, > > We have one Kamailio Instance connected with MS Teams (based on this > instruction: https://skalatan.de/en/blog/kamailio-sbc-teams), which > worked fine for a while until recently we noticed that calls from teams are > not working anymore. When I looked through the logs I found that Microsoft > cannot establish a TLS connection to our server because of the cipher: > TLS accept:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > cipher (sni: sbc.example.com - domain is obfuscated). > Certificate is valid, the configuration is below: > > [server:default] > method = TLSv1.2+ > verify_certificate = no > require_certificate = no > private_key = /usr/local/etc/kamailio/certs/ > example.net/sbc1-teams_example_net.key > certificate = /usr/local/etc/kamailio/certs/ > example.net/sbc1-teams_example_net.crt > server_name = sbc1-teams.example.net > ca_list = /usr/local/etc/kamailio/certs/sectigo_ca.pem > #ca_list=/etc/ssl/certs/ca-bundle.crt > > [client:default] > method = TLSv1.2+ > verify_certificate = no > require_certificate = no > private_key = /usr/local/etc/kamailio/certs/ > example.net/sbc1-teams_example_net.key > certificate = /usr/local/etc/kamailio/certs/ > example.net/sbc1-teams_example_net.crt > ca_list = /usr/local/etc/kamailio/certs/sectigo_ca.pem > #ca_list=/etc/ssl/certs/ca-bundle.crt > > We use a certificate from Sectigo, but I've tried with Let's Encrypt - and > it's the same. Any idea what could be the reason? > __ > Kamailio - Users Mailing List - Non Commercial Discussions > To unsubscribe send an email to sr-users-le...@lists.kamailio.org > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > __ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: