Hi,

it also depends on the version of OpenSSL, Kamailio was compiled against....

I can confirm, that Kamailio supports Elliptic Curve Diffie Hellmann (ECDHE), as I added support for it... ;-)

Thanks,
Carsten

2018-01-03 9:46 GMT+01:00 Karsten Horsmann <khorsmann@gmail.com>:
Hello,


There is an ssldump example on kamailio.org wiki to see the cipher suits. 

AFAIK it depends on your certificate/ca  and how you create it.

I see this with an test self-signed certificate that I did with one cipher only. 

And of course you client need support for it. 

Am 02.01.2018 5:16 nachm. schrieb "Steve" <smh2017@zoho.com>:

I have a question about deploying TLSv1.2 with Kamailio 4.3.4-1 on a Lubuntu 16.4.3 desktop environment. I changed the Kamailio default tls.cfg file under the section [server:default] to “method=TLSv1.2” and am using OpenSSL 1.0.2g  from the Lubuntu repository. All the programs were loaded through the Synaptic Package Manager. 

My question is whether this version of Kamailio supports the cipher suite ECDHE-RSA-AES256-GCM-SHA384. My version of OpenSSL lists it as an option, but the highest strength cipher that the Kamailio 4.3.4 server seems to accept is RSA-AES256-GCM-SHA384. My (limited) understanding is that ECDHE is a better method of key exchange than RSA because it is ephemeral with forward secrecy.

I used Wireshark to look at the connection protocols for sip clients Jitsi and Blink with the Kamailio server. Jitsi offers only four cipher choices of what I understand are considered compromised security TLS protocols and it connected with the RSA-AES128-CBC-SHA cipher. Blink offers 65 cipher choices, starting with ECDHE-RSA-AES256-GCM-SHA384. My Kamailio server accepted the 29th offering on the list, RSA-AES256-GCM-SHA384. Unless I am missing something, Kamailio 4.3.4 doesn’t seem to support ephemeral DH key exchanges. Is there some other TLS configuration file or setting for Kamailio that can be changed to allow this?


Virus-free. www.avast.com

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users




--
Carsten Bock
CEO (Geschäftsführer)

ng-voice GmbH
Millerntorplatz 1
20359 Hamburg / Germany

http://www.ng-voice.com
mailto:carsten@ng-voice.com

Office +49 40 5247593-40
Fax +49 40 5247593-99

Sitz der Gesellschaft: Hamburg
Registergericht: Amtsgericht Hamburg, HRB 120189
Geschäftsführer: Carsten Bock
Ust-ID: DE279344284

Hier finden Sie unsere handelsrechtlichen Pflichtangaben:
http://www.ng-voice.com/imprint/