I have a question about deploying TLSv1.2 with Kamailio 4.3.4-1 on a Lubuntu 16.4.3 desktop environment. I changed the Kamailio default tls.cfg file under the section [server:default] to “method=TLSv1.2” and am using OpenSSL 1.0.2g from the Lubuntu repository. All the programs were loaded through the Synaptic Package Manager.
My question is whether this version of Kamailio supports the cipher suite ECDHE-RSA-AES256-GCM-SHA384. My version of OpenSSL lists it as an option, but the highest strength cipher that the Kamailio 4.3.4 server seems to accept is RSA-AES256-GCM-SHA384. My (limited) understanding is that ECDHE is a better method of key exchange than RSA because it is ephemeral with forward secrecy.
I used Wireshark to look at the connection protocols for sip clients Jitsi and Blink with the Kamailio server. Jitsi offers only four cipher choices of what I understand are considered compromised security TLS protocols and it connected with the RSA-AES128-CBC-SHA cipher. Blink offers 65 cipher choices, starting with ECDHE-RSA-AES256-GCM-SHA384. My Kamailio server accepted the 29th offering on the list, RSA-AES256-GCM-SHA384. Unless I am missing something, Kamailio 4.3.4 doesn’t seem to support ephemeral DH key exchanges. Is there some other TLS configuration file or setting for Kamailio that can be changed to allow this?
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr- users
