Federico, Thank you

I added these lines to my config:

#!ifdef WITH_TLS
# ----- tls params -----
modparam("tls","config","/usr/local/etc/kamailio/tls.cfg")
modparam("tls", "cipher_list", "HIGH")
modparam("tls", "tls_method", "TLSv1.2+")
#!endif

But it still doesn’t work.  

I ran this test, but it still says:

Cipher Suites
# TLS 1.0 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK128
TLS_RSA_WITH_SEED_CBC_SHA (0x96)   WEAK128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK128
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE128
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK


I don’t know how to get rid of the insecure ones. 

Best Regards,
Arik


On 10 Dec 2019, at 9:03, Federico Cabiddu <federico.cabiddu@gmail.com> wrote:

Hi,
for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list.
For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method.

Cheers,

Federico

On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin@s3code.com> wrote:
Hello,

How can I disable:


TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE128

TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE128

What should I put in cypher_list in order to disable the above?

I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1

Thanks,
Arik Halperin
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users