Hi Ali, Glad the suggestions were helpful.
The certificate is just a regular SSL cert, in PEM format just with a different file extension. Depending on your implementation you might want to look into public verifiable certificates (if you're public facing) - available for free if you want to check out a service like https://letsencrypt.org/. Callum On Wed, 22 Jan 2020 at 22:09, Ali Alawi <[email protected]> wrote: > Dear Callum, > Thanks a lot. it help me to establish a TLS connection with ECDH suite. > but I used my own certificate.pem rather than the one you mentioned > sip.crt. Actually, I couldn't figure out from where I can get this kind of > .crt files. > > On Mon, Jan 20, 2020 at 11:49 AM Callum Guy <[email protected]> wrote: > >> Hi Ali, >> >> You'll need to setup your cipher list and DH file. You can generate a DH >> param file like this: *openssl dhparam -out dhparam.pem 4096* >> >> If you want to review locally available cipher suites you can run: *openssl >> ciphers -v* >> >> The OpenSIPs documentation clarifies the module configuration options >> however the following setup will provide a set of strong ciphers and maybe >> you can pick from this to add to your existing config to get things working. >> >> modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem") >> modparam("tls_mgm", "ec_curve", "secp384r1") >> modparam("tls_mgm", "ciphers_list", >> "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH") >> modparam("tls_mgm", "verify_cert", "1") >> modparam("tls_mgm", "require_cert", "1") >> modparam("tls_mgm", "tls_method", "TLSv1_2") >> modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/sip.crt") >> modparam("tls_mgm", "private_key", "/etc/pki/tls/private/sip.key") >> modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt") >> modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/") >> >> Good luck, >> >> Callum >> >> On Sat, 18 Jan 2020 at 20:32, Ali Alawi <[email protected]> wrote: >> >>> Hello every one. >>> I am trying to test TLS in OpenSIPS 2.4, the testing is going fine but >>> it only support certain cipher suite methods such as ( >>> >>> AES256-GCM-SHA384,AES256-SHA256,AES256-SHA,CAMELLIA256-SHA,AES128-SHA,SEED-SHA,CAMELLIA128-SHA,RC4-SHA,DES-CBC3-SHA >>> ) >>> For some reason, I need to use ECDHE cipher suites but it is unsupported >>> here. >>> How can I include ECDHE in my TLS test? >>> BTW, I am using OpenSSL 1.0.2g >>> >>> ALi >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >> >> >> *0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | ** >> <https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> >> <https://twitter.com/xonuk> * >> >> X-on is a trading name of Storacall Technology Ltd a limited company >> registered in England and Wales. >> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >> The information in this e-mail is confidential and for use by the >> addressee(s) only. If you are not the intended recipient, please notify >> X-on immediately on +44(0)333 332 0000 and delete the >> message from your computer. If you are not a named addressee you must not >> use, disclose, disseminate, distribute, copy, print or reply to this email. >> Views >> or opinions expressed by an individual >> within this email may not necessarily reflect the views of X-on or its >> associated companies. Although X-on routinely screens for viruses, >> addressees should scan this email and any attachments >> for viruses. X-on makes no representation or warranty as to the absence >> of viruses in this email or any attachments. >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- *0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | ** <https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
