Well, properly formulating the question is half-way to the solution J

 

I had to add

 

cipher_list = HIGH:!ADH:!AECDH

 

And all anon ciphers are gone.

I hope this helps someone J

 

 

From: sr-users [mailto:sr-users-bounces@lists.sip-router.org] On Behalf Of Attila Megyeri
Sent: Monday, May 4, 2015 2:18 PM
To: Kamailio (SER) - Users Mailing List
Subject: [SR-Users] TLSv1.2 and weak ciphers

 

Hi Daniel, Kamailio folks,

 

We are trying to make our server more secure, but we have some issues.

 

Right now, we have set the TLS method to

method = TLSv1+

 

and

 

cipher_list = HIGH

 

The problem is, that there are still cipher suites offered which are not secure. E.g. If I check with the SSLLabs analizer, I see:

 

 

This server supports anonymous (insecure) suites (see below for details). Grade set to F.

 

 

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

256

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

256

TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE

256

TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0xa7)   INSECURE

256

TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x6d)   INSECURE

256

TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a)   INSECURE

256

TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89)   INSECURE

256

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)

256

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

256

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

256

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)

256

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH 256 bits (eq. 3072 bits RSA)   FS

112

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

112

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE

112

TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b)   INSECURE

112

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

112

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

128

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

128

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

128

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 3072 bits (p: 384, g: 1, Ys: 384)   FS

128

TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE

128

TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0xa6)   INSECURE

128

TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x6c)   INSECURE

128

TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34)   INSECURE

128

TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46)   INSECURE

128

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)

128

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)

128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

128

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)

128

 

How can we get rid of these _anon_ cipher suites?

 

Thanks

Attila