On Wednesday 10 January 2024, marek via sr-users <sr-users@lists.kamailio.org> wrote:

hi,

i'm trying force cipher list through options like

modparam("tls", "cipher_list", "TLS_RSA_WITH_AES_256_CBC_SHA256")

modparam("tls", "cipher_list", "RSA")

You are trying a RSA cipher.

...

but

ssldump -i enp2s0 port 5061 shows every time

ServerHello
Version 3.3

In TLS 1.2

session_id[0]=
cipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

But the negotiated cipher suggest that you have an ECC certificate.

In TLSv1.2 and older, ciphers available are dependent on the certificate type (RSA vs ECC).

In TLSv1.3 its all different again and the certificate doesn't matter for cipher negotiation.

Get a RSA (2048bit) certificate instead of a ECC one from Let's Encrypt, then you should be able to use those ciphers.

Lukas