HI Callum, Currently I stuck with PEM certificates because my configuration is for testing only (not productive). One last thing to check with you, I am unable to use 1_2 version in my opensips. Actually, opensips restarted without error but I am unable to perform handshake.
Regards, On Thu, Jan 23, 2020 at 11:15 AM Callum Guy <[email protected]> wrote: > Hi Ali, > > Glad the suggestions were helpful. > > The certificate is just a regular SSL cert, in PEM format just with a > different file extension. Depending on your implementation you might want > to look into public verifiable certificates (if you're public facing) - > available for free if you want to check out a service like > https://letsencrypt.org/. > > Callum > > > On Wed, 22 Jan 2020 at 22:09, Ali Alawi <[email protected]> wrote: > >> Dear Callum, >> Thanks a lot. it help me to establish a TLS connection with ECDH suite. >> but I used my own certificate.pem rather than the one you mentioned >> sip.crt. Actually, I couldn't figure out from where I can get this kind of >> .crt files. >> >> On Mon, Jan 20, 2020 at 11:49 AM Callum Guy <[email protected]> >> wrote: >> >>> Hi Ali, >>> >>> You'll need to setup your cipher list and DH file. You can generate a DH >>> param file like this: *openssl dhparam -out dhparam.pem 4096* >>> >>> If you want to review locally available cipher suites you can run: *openssl >>> ciphers -v* >>> >>> The OpenSIPs documentation clarifies the module configuration options >>> however the following setup will provide a set of strong ciphers and maybe >>> you can pick from this to add to your existing config to get things working. >>> >>> modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem") >>> modparam("tls_mgm", "ec_curve", "secp384r1") >>> modparam("tls_mgm", "ciphers_list", >>> "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH") >>> modparam("tls_mgm", "verify_cert", "1") >>> modparam("tls_mgm", "require_cert", "1") >>> modparam("tls_mgm", "tls_method", "TLSv1_2") >>> modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/sip.crt") >>> modparam("tls_mgm", "private_key", "/etc/pki/tls/private/sip.key") >>> modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt") >>> modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/") >>> >>> Good luck, >>> >>> Callum >>> >>> On Sat, 18 Jan 2020 at 20:32, Ali Alawi <[email protected]> wrote: >>> >>>> Hello every one. >>>> I am trying to test TLS in OpenSIPS 2.4, the testing is going fine but >>>> it only support certain cipher suite methods such as ( >>>> >>>> AES256-GCM-SHA384,AES256-SHA256,AES256-SHA,CAMELLIA256-SHA,AES128-SHA,SEED-SHA,CAMELLIA128-SHA,RC4-SHA,DES-CBC3-SHA >>>> ) >>>> For some reason, I need to use ECDHE cipher suites but it is >>>> unsupported here. >>>> How can I include ECDHE in my TLS test? >>>> BTW, I am using OpenSSL 1.0.2g >>>> >>>> ALi >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>>> >>> >>> >>> *0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | ** >>> <https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> >>> <https://twitter.com/xonuk> * >>> >>> X-on is a trading name of Storacall Technology Ltd a limited company >>> registered in England and Wales. >>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>> The information in this e-mail is confidential and for use by the >>> addressee(s) only. If you are not the intended recipient, please notify >>> X-on immediately on +44(0)333 332 0000 and delete the >>> message from your computer. If you are not a named addressee you must >>> not use, disclose, disseminate, distribute, copy, print or reply to this >>> email. Views or opinions expressed by an individual >>> within this email may not necessarily reflect the views of X-on or its >>> associated companies. Although X-on routinely screens for viruses, >>> addressees should scan this email and any attachments >>> for viruses. X-on makes no representation or warranty as to the absence >>> of viruses in this email or any attachments. >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > > > *0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | ** > <https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> > <https://twitter.com/xonuk> * > > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please notify > X-on immediately on +44(0)333 332 0000 and delete the > message from your computer. If you are not a named addressee you must not > use, disclose, disseminate, distribute, copy, print or reply to this email. > Views > or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the absence of > viruses in this email or any attachments. > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
