Disabling weak SSL Cypher suites - sr-users - kamailio.org

List overview All Threads
Download

Disabling weak SSL Cypher suites

rtpproxy_manage() doesn't...

Need support

Arik Halperin

10 Dec 2019 10 Dec '19

9:29 a.m.

Hello, How can I disable: TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128 What should I put in cypher_list in order to disable the above? I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1 Thanks, Arik Halperin

Attachments:

attachment.html (text/html — 1.2 KB)

Reply

Show replies by date

Federico Cabiddu

10 Dec 10 Dec

10:03 a.m.

Hi, for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_li… . For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method . Cheers, Federico On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin(a)s3code.com> wrote:

Hello, How can I disable: TLS_RSA_WITH_RC4_128_SHA (0x5) *INSECURE*128 TLS_RSA_WITH_RC4_128_MD5 (0x4) *INSECURE*128 What should I put in cypher_list in order to disable the above? I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1 Thanks, Arik Halperin _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Reply

Arik Halperin

22 Dec 22 Dec

8:14 p.m.

Federico, Thank you I added these lines to my config: #!ifdef WITH_TLS # ----- tls params ----- modparam("tls","config","/usr/local/etc/kamailio/tls.cfg") modparam("tls", "cipher_list", "HIGH") modparam("tls", "tls_method", "TLSv1.2+") #!endif But it still doesn’t work. I ran this test, but it still says: Cipher Suites # TLS 1.0 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_SEED_CBC_SHA (0x96) WEAK 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128 TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK I don’t know how to get rid of the insecure ones. Best Regards, Arik

On 10 Dec 2019, at 9:03, Federico Cabiddu <federico.cabiddu(a)gmail.com> wrote: Hi, for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_li… <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list>. For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method>. Cheers, Federico On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin(a)s3code.com <mailto:arik.halperin@s3code.com>> wrote: Hello, How can I disable: TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128 What should I put in cypher_list in order to disable the above? I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1 Thanks, Arik Halperin _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Reply

Federico Cabiddu

8:28 p.m.

Hi Arik, I think that the problem is that you are using a configuration file for tls. In this case you have to specify there the parameters like ciphers, because the module's ones will be ignored: http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config. Cheers, Federico On Sun, Dec 22, 2019 at 6:16 PM Arik Halperin <arik.halperin(a)s3code.com> wrote:

Federico, Thank you I added these lines to my config: #!ifdef WITH_TLS # ----- tls params ----- modparam("tls","config","/usr/local/etc/kamailio/tls.cfg") modparam("tls", "cipher_list", "HIGH") modparam("tls", "tls_method", "TLSv1.2+") #!endif But it still doesn’t work. I ran this test, but it still says: Cipher Suites # TLS 1.0 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA (0x35) *WEAK* 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) *WEAK* 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) *WEAK* 128 TLS_RSA_WITH_SEED_CBC_SHA (0x96) *WEAK* 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) *WEAK* 128 TLS_RSA_WITH_RC4_128_SHA (0x5) *INSECURE* 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) *INSECURE* 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) *WEAK* I don’t know how to get rid of the insecure ones. Best Regards, Arik On 10 Dec 2019, at 9:03, Federico Cabiddu <federico.cabiddu(a)gmail.com> wrote: Hi, for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_li… . For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method . Cheers, Federico On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin(a)s3code.com> wrote:

Hello, How can I disable: TLS_RSA_WITH_RC4_128_SHA (0x5) *INSECURE*128 TLS_RSA_WITH_RC4_128_MD5 (0x4) *INSECURE*128 What should I put in cypher_list in order to disable the above? I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1 Thanks, Arik Halperin _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

_______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Reply

Arik Halperin

10:56 p.m.

Federico, thanks Did the changes in the file. It’s fixed. Arik

On 22 Dec 2019, at 19:28, Federico Cabiddu <federico.cabiddu(a)gmail.com> wrote: Hi Arik, I think that the problem is that you are using a configuration file for tls. In this case you have to specify there the parameters like ciphers, because the module's ones will be ignored: http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config <http://www.kamailio.org/docs/modules/5.3.x/modules/tls.html#tls.p.config>. Cheers, Federico On Sun, Dec 22, 2019 at 6:16 PM Arik Halperin <arik.halperin(a)s3code.com <mailto:arik.halperin@s3code.com>> wrote: Federico, Thank you I added these lines to my config: #!ifdef WITH_TLS # ----- tls params ----- modparam("tls","config","/usr/local/etc/kamailio/tls.cfg") modparam("tls", "cipher_list", "HIGH") modparam("tls", "tls_method", "TLSv1.2+") #!endif But it still doesn’t work. I ran this test, but it still says: Cipher Suites # TLS 1.0 (suites in server-preferred order) TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_SEED_CBC_SHA (0x96) WEAK 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128 TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK I don’t know how to get rid of the insecure ones. Best Regards, Arik

On 10 Dec 2019, at 9:03, Federico Cabiddu <federico.cabiddu(a)gmail.com <mailto:federico.cabiddu@gmail.com>> wrote: Hi, for enabling a specific set of ciphers have a look at tls module's cipher_list param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_li… <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.cipher_list>. For supporting specific versions of TLS look at tls_method param: http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method <http://www.kamailio.org/docs/modules/5.4.x/modules/tls.html#tls.p.tls_method>. Cheers, Federico On Tue, Dec 10, 2019 at 7:30 AM Arik Halperin <arik.halperin(a)s3code.com <mailto:arik.halperin@s3code.com>> wrote: Hello, How can I disable: TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128 What should I put in cypher_list in order to disable the above? I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1 Thanks, Arik Halperin _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>

_______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Reply

Henning Westerholt

10 Dec 10 Dec

10:23 a.m.

Hello, small addition - it is not possible to only specify TLS v1.3 at the moment (but work is planned here) - use TLSv1.2+ to get all version equal or larger TLS 1.2. Cheers, Henning -- Henning Westerholt - https://skalatan.de/blog/ Kamailio services - https://gilawa.com<https://gilawa.com/> From: sr-users <sr-users-bounces(a)lists.kamailio.org> On Behalf Of Arik Halperin Sent: Tuesday, December 10, 2019 7:29 AM To: sr-users(a)lists.kamailio.org Cc: Tsur Arieli <tsur(a)telemessage.com>om>; Yossi Shteingart <yossi(a)telemessage.com> Subject: [SR-Users] Disabling weak SSL Cypher suites Hello, How can I disable: TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE128 What should I put in cypher_list in order to disable the above? I would also like support TLS 1.2 and TLS 1.3, but remove support for 1.0 and 1.1 Thanks, Arik Halperin

Reply

1800

days inactive

1812

days old

sr-users@lists.kamailio.org

Manage subscription

5 comments

3 participants

tags (0)

participants (3)

Arik Halperin
Federico Cabiddu
Henning Westerholt