Hi,
Try this:
modparam("tls", "renegotiation", 1)
Best regards,
Leonid Fainshtein
On Fri, Feb 24, 2023 at 12:47 PM <iliusha.md(a)gmail.com> wrote:
In Wireshark I see an Alert Handshake failure, coming
from the Kamailio
server.
Transport Layer Security
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake
Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
My first thought is that something is wrong with the SSL ciphers on the
server where Kamailio is running, this is the list I'm getting from the MS
in the Client Hello packet:
Cipher Suites (8 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
And I see some of them available on the server:
[root@srv kamailio]# openssl ciphers -v | grep 'ECDHE-RSA-AES'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256)
Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128)
Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
TLS module configuration is very basic:
# ----- tls settings -----
modparam("tls", "config",
"/usr/local/etc/kamailio/tls.cfg")
modparam("tls", "tls_disable_compression", 1)
modparam("tls", "connection_timeout", 300)
Can be that the openssl version is pretty old maybe?
[root@srv kamailio]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
Kamailio Version: version: kamailio 5.6.3 (x86_64/linux) ea782b
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe: