Re: [SR-Users] Disabling weak SSL Cypher suites

Sun, 22 Dec 2019 09:16:49 -0800 

Federico, Thank you

I added these lines to my config:

#!ifdef WITH_TLS
# ----- tls params -----
modparam("tls","config","/usr/local/etc/kamailio/tls.cfg")
modparam("tls", "cipher_list", "HIGH")
modparam("tls", "tls_method", "TLSv1.2+")
#!endif

But it still doesn’t work.  

I ran this test, but it still says:

Cipher Suites
# TLS 1.0 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK      256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK      128
TLS_RSA_WITH_SEED_CBC_SHA (0x96)   WEAK 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK 128
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE       128
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE       128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK


I don’t know how to get rid of the insecure ones. 

Best Regards,
Arik


> On 10 Dec 2019, at 9:03, Federico Cabiddu <[email protected]> wrote:
> 
> Hi,
> for enabling a specific set of ciphers have a look at tls module's 
> cipher_list param: 
> http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list 
> <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list>.
> For supporting specific versions of TLS look at tls_method param: 
> http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method 
> <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method>.
> 
> Cheers,
> 
> Federico
> 
> On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <[email protected] 
> <mailto:[email protected]>> wrote:
> Hello,
> 
> How can I disable:
> 
> 
> TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE128
> 
> TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE128
> 
> What should I put in cypher_list in order to disable the above?
> 
> I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 
> 1.1
> 
> Thanks,
> Arik Halperin
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> [email protected] <mailto:[email protected]>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 
> <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> [email protected]
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Reply via email to