good catch. thanks

for the record

ECC

[root@sbc live]# openssl x509 -text -noout -in  /etc/letsencrypt/live/<my domain>/fullchain.pem |grep -i "Public Key Algorithm"
            Public Key Algorithm: id-ecPublicKey

certbot certonly --key-type rsa --cert-name <my domain> --manual --preferred-challenges dns

RSA

[root@sbc live]# openssl x509 -text -noout -in  /etc/letsencrypt/live/<my domain>/fullchain.pem |grep -i "Public Key Algorithm"
            Public Key Algorithm: rsaEncryption

but there was another problem

modparam("tls", "cipher_list", "RSA") from  https://kamailio.org/docs/modules/5.7.x/modules/tls.html#tls.p.cipher_list

does nothing

 0(2294) INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'

valid option is in tls.cfg

cipher_list = RSA

0(2328) INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='RSA'

      ServerHello
        Version 3.3
        session_id[0]=
        cipherSuite         TLS_RSA_WITH_AES_256_GCM_SHA384

Marek Cervenka

On Wednesday 10 January 2024, marek via sr-users <sr-users@lists.kamailio.org> wrote:

hi,

i'm trying force cipher list through options like

modparam("tls", "cipher_list", "TLS_RSA_WITH_AES_256_CBC_SHA256")

modparam("tls", "cipher_list", "RSA")

You are trying a RSA cipher.

 

 

...


but

ssldump -i enp2s0 port 5061  shows every time

      ServerHello
        Version 3.3

In TLS 1.2

 

        session_id[0]=
        cipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

But the negotiated cipher suggest that you have an ECC certificate.

In TLSv1.2 and older, ciphers available are dependent on the certificate type (RSA vs ECC).

In TLSv1.3 its all different again and the certificate doesn't matter for cipher negotiation.

Get a RSA (2048bit) certificate instead of a ECC one from Let's Encrypt, then you should be able to use those ciphers.

Lukas