14 Apr
2023
14 Apr
'23
10:55 p.m.
modparam("tls", "renegotiation",
1)
Tried to no positive result. Still getting "*SSL3_GET_CLIENT_HELLO:no
shared cipher*" error and server doesn't list any ECDHE suite ciphers.
*> From the docs [1] "TLSv1.2+" seems to require openssl v1.1.1 at least.*
I don't see it that way. Nmap test shows TLSv1.2 is supported, but missing
the desired ECDHE cipher suite. Also, some less stringent clients in terms
of ciphers do connect fine over TLS1.2
*> Can you try "TLSv1.1+" or "TLSv1.2" instead?*
Tried - didn't make a diff.
I guess the question here boils down to the following: if local OpenSSL
lists the ciphers as supported, why does a locally compiled Kamailio
doesn't support them? Is there a way to compile Kamailio's TLS module
differently to overcome this?
Thanks.
On Fri, Apr 14, 2023 at 2:34 PM Lukas Tribus <lukas(a)ltri.eu> wrote:
Hello,
OS:
outdated Debian 8 Jessie
OpenSSL 1.0.1t 3 May 2016
openssl ciphers -v | grep 'ECDHE-RSA-AES256-GCM-SHA384'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
Mac=AEAD
# kamailio -V
version: kamailio 5.5.6 (x86_64/linux) ad1244
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS,
DISABLE_NAGLE,
USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC,
F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT,
USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST,
HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE
262144, MAX_URI_SIZE
1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et,
sigio_rt, select.
compiled on 21:08:20 Apr 13 2023 with gcc 4.9.2
modparam("tls", "cipher_list", "ALL")
method = TLSv1.2+
Elliptic Curve Diffie-Hellman (EDCH)-Ciphers are only supported in
OpenSSL 1.0.0e
and later.
Any suggestions?
From the docs [1] "TLSv1.2+" seems to require openssl v1.1.1 at least.
Can you try "TLSv1.1+" or "TLSv1.2" instead?
Lukas
[1]
https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.tls_method
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe: