Hello,
any error messages related to tls in the kamailio.log? Do you see in the logs that its
actually set the ciphers?
If you are using also a dedicated tls.cfg, you might need to place the cipher_list
there.
Cheers,
Henning
From: sr-users <sr-users-bounces(a)lists.kamailio.org> On Behalf Of ???? ????????
Sent: Tuesday, August 2, 2022 3:14 PM
To: sr-users(a)lists.kamailio.org
Subject: [SR-Users] Support of ECDHE cipher suites for tls connection in kamailio
Hello.
I have a question about support of ECDHE cipher suites in kamailio-5.6.0 in centos7 with
installed OpenSSL 1.0.2k-fips. We received kamailio with its modules from
https://rpm.kamailio.org/.
Our client can use only cipher suites:
TLS_AES_256_GCM_SHA384 (0x1302)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_128_GCM_SHA256 (0x1301)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
And some of them are supported by our openssl:
$ openssl cipher -V
...
0xC0,0x14 - ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
0xC0,0x0A - ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
...
0xC0,0x13 - ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
0xC0,0x09 - ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
...
But when trying to connect with, for example, cipher suite ECDHE-RSA-AES256-SHA (the same
with other 3 cipher suites), we receive, that it is not allowed:
$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher
ECDHE-RSA-AES256-SHA
...
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
...
To exclude the influence of other factors, I installed nginx on the same machine with
usage of the same tls certificate and it can use cipher suites ECDHE-RSA-AES256-SHA and
ECDHE-RSA-AES128-SHA.
$ openssl s_client -connect ${nginx-serper-ip}:${nginx-server-port} -cipher
ECDHE-RSA-AES256-SHA
...
SSL handshake has read 3271 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA
...
So, the reason of failed handshake is, probably, kamailio.
Tried to add cipher_list modparam:
modparam("tls", "cipher_list", "ECDHE-RSA-AES256-SHA")
but result is the same:
$ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher
ECDHE-RSA-AES256-SHA
...
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
...
Can you, please, help me to add support of cipher suites ECDHE-RSA-AES256-SHA and
ECDHE-RSA-AES128-SHA to kamailio?