14 Apr
2023
14 Apr
'23
4:05 p.m.
Hi gang,
Trying to figure out why Kamailio won't negotiate specific TLS1.2
ciphers, such as for example TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 i.e.
*ECDHE-RSA-AES256-GCM-SHA384*
OpenSSL lists the cipher as supported, however Kamailio won't negotiate it:
# nmap --script ssl-enum-ciphers -p 5061 mysbc.domain.com
PORT STATE SERVICE
5061/tcp open sip-tls
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
|_ least strength: C
OS:
- outdated Debian 8 Jessie
- OpenSSL 1.0.1t 3 May 2016
- openssl ciphers -v | grep '*ECDHE-RSA-AES256-GCM-SHA384*'
- ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
# kamailio -V
version: kamailio 5.5.6 (x86_64/linux) ad1244
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE,
USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC,
TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT,
USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST,
HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024,
BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
compiled on 21:08:20 Apr 13 2023 with gcc 4.9.2
modparam("tls", "cipher_list", "ALL")
method = TLSv1.2+
Elliptic Curve Diffie-Hellman (EDCH)
<https://kamailio.org/docs/modules/devel/modules/tls.html#tls.compile>-Ciphers
are only supported in OpenSSL 1.0.0e and later.
Any suggestions?
Thanks.
14 Apr
14 Apr
7:42 p.m.
Hello,
Try to enable
https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.renegotiation
On Fri, 14 Apr 2023 at 19:47 Sergiu Pojoga <pojogas(a)gmail.com> wrote:
Hi gang,
Trying to figure out why Kamailio won't negotiate specific TLS1.2
ciphers, such as for example TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 i.e.
*ECDHE-RSA-AES256-GCM-SHA384*
OpenSSL lists the cipher as supported, however Kamailio won't negotiate it:
# nmap --script ssl-enum-ciphers -p 5061 mysbc.domain.com
PORT STATE SERVICE
5061/tcp open sip-tls
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
|_ least strength: C
OS:
- outdated Debian 8 Jessie
- OpenSSL 1.0.1t 3 May 2016
- openssl ciphers -v | grep '*ECDHE-RSA-AES256-GCM-SHA384*'
- ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
# kamailio -V
version: kamailio 5.5.6 (x86_64/linux) ad1244
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS,
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC,
F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT,
USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST,
HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024,
BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
compiled on 21:08:20 Apr 13 2023 with gcc 4.9.2
modparam("tls", "cipher_list", "ALL")
method = TLSv1.2+
Elliptic Curve Diffie-Hellman (EDCH)
<https://kamailio.org/docs/modules/devel/modules/tls.html#tls.compile>-Ciphers
are only supported in OpenSSL 1.0.0e and later.
Any suggestions?
Thanks.
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
9:11 p.m.
Hello,
OS:
outdated Debian 8 Jessie
OpenSSL 1.0.1t 3 May 2016
openssl ciphers -v | grep 'ECDHE-RSA-AES256-GCM-SHA384'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
# kamailio -V
version: kamailio 5.5.6 (x86_64/linux) ad1244
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST,
DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY,
USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
USE_DST_BLOCKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535,
DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
compiled on 21:08:20 Apr 13 2023 with gcc 4.9.2
modparam("tls", "cipher_list", "ALL")
method = TLSv1.2+
Elliptic Curve Diffie-Hellman (EDCH)-Ciphers are only supported in OpenSSL 1.0.0e and
later.
Any suggestions?
From the docs [1] "TLSv1.2+" seems to require openssl v1.1.1 at least.
Can you try "TLSv1.1+" or "TLSv1.2" instead?
Lukas
[1] https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.tls_method
10:55 p.m.
modparam("tls", "renegotiation",
1)
Tried to no positive result. Still getting "*SSL3_GET_CLIENT_HELLO:no
shared cipher*" error and server doesn't list any ECDHE suite ciphers.
*> From the docs [1] "TLSv1.2+" seems to require openssl v1.1.1 at least.*
I don't see it that way. Nmap test shows TLSv1.2 is supported, but missing
the desired ECDHE cipher suite. Also, some less stringent clients in terms
of ciphers do connect fine over TLS1.2
*> Can you try "TLSv1.1+" or "TLSv1.2" instead?*
Tried - didn't make a diff.
I guess the question here boils down to the following: if local OpenSSL
lists the ciphers as supported, why does a locally compiled Kamailio
doesn't support them? Is there a way to compile Kamailio's TLS module
differently to overcome this?
Thanks.
On Fri, Apr 14, 2023 at 2:34 PM Lukas Tribus <lukas(a)ltri.eu> wrote:
Hello,
OS:
outdated Debian 8 Jessie
OpenSSL 1.0.1t 3 May 2016
openssl ciphers -v | grep 'ECDHE-RSA-AES256-GCM-SHA384'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
Mac=AEAD
# kamailio -V
version: kamailio 5.5.6 (x86_64/linux) ad1244
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS,
DISABLE_NAGLE,
USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC,
F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT,
USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST,
HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE
262144, MAX_URI_SIZE
1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et,
sigio_rt, select.
compiled on 21:08:20 Apr 13 2023 with gcc 4.9.2
modparam("tls", "cipher_list", "ALL")
method = TLSv1.2+
Elliptic Curve Diffie-Hellman (EDCH)-Ciphers are only supported in
OpenSSL 1.0.0e
and later.
Any suggestions?
From the docs [1] "TLSv1.2+" seems to require openssl v1.1.1 at least.
Can you try "TLSv1.1+" or "TLSv1.2" instead?
Lukas
[1]
https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.tls_method
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
20 Apr
20 Apr
9:56 a.m.
Hello,
if you are using the standard tls module (not e.g. tlsa etc..) there should not be a need
to compile it differently.
Have you checked if maybe you have a conflicting setting in main kamailio configuration
and dedicated tls.cfg file?
Probably also worth to check against which tls library the “tls.so” module is linked
against, maybe you have multiple openssl libraries on that machine.
Cheers,
Henning
From: Sergiu Pojoga <pojogas(a)gmail.com>
Sent: Freitag, 14. April 2023 21:56
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: [SR-Users] Re: TLS1.2 ciphers
modparam("tls", "renegotiation",
1)
Tried to no positive result. Still getting "SSL3_GET_CLIENT_HELLO:no shared
cipher" error and server doesn't list any ECDHE suite ciphers.
From the docs [1] "TLSv1.2+" seems to
require openssl v1.1.1 at least.
I don't see it that way. Nmap test shows TLSv1.2 is supported, but missing the
desired ECDHE cipher suite. Also, some less stringent clients in terms of ciphers do
connect fine over TLS1.2
Can you try "TLSv1.1+" or
"TLSv1.2" instead?
Tried - didn't make a diff.
I guess the question here boils down to the following: if local OpenSSL lists the ciphers
as supported, why does a locally compiled Kamailio doesn't support them? Is there a
way to compile Kamailio's TLS module differently to overcome this?
Thanks.
On Fri, Apr 14, 2023 at 2:34 PM Lukas Tribus
<lukas@ltri.eu<mailto:lukas@ltri.eu>> wrote:
Hello,
OS:
outdated Debian 8 Jessie
OpenSSL 1.0.1t 3 May 2016
openssl ciphers -v | grep 'ECDHE-RSA-AES256-GCM-SHA384'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
# kamailio -V
version: kamailio 5.5.6 (x86_64/linux) ad1244
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST,
DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY,
USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
USE_DST_BLOCKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535,
DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
compiled on 21:08:20 Apr 13 2023 with gcc 4.9.2
modparam("tls", "cipher_list", "ALL")
method = TLSv1.2+
Elliptic Curve Diffie-Hellman (EDCH)-Ciphers are only supported in OpenSSL 1.0.0e and
later.
Any suggestions?
From the docs [1] "TLSv1.2+" seems to require openssl v1.1.1 at least.
Can you try "TLSv1.1+" or "TLSv1.2" instead?
Lukas
[1] https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.tls_method
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to
sr-users-leave@lists.kamailio.org<mailto:sr-users-leave@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
5 May
5 May
10:50 p.m.
Hello,
some ciphers are only available if EC-certificates are used. I do not
remember which ones. In theory it is possible to install on the same
host:port (and the same iP address) both RSA and EC certificate. The
correct one is choosen based on client capabilities/preferences. Nginx,
Cyrus Imap, Sendmail support this.
Дилян
На 2023-04-20 08:56, Henning Westerholt написа:
Hello,
if you are using the standard tls module (not e.g. tlsa etc..) there
should not be a need to compile it differently.
Have you checked if maybe you have a conflicting setting in main
kamailio configuration and dedicated tls.cfg file?
Probably also worth to check against which tls library the “tls.so”
module is linked against, maybe you have multiple openssl libraries on
that machine.
Cheers,
Henning
From: Sergiu Pojoga <pojogas(a)gmail.com>
Sent: Freitag, 14. April 2023 21:56
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: [SR-Users] Re: TLS1.2 ciphers
modparam("tls",
"renegotiation", 1)
Tried to no positive result. Still getting "SSL3_GET_CLIENT_HELLO:no
shared cipher" error and server doesn't list any ECDHE suite ciphers.
From the docs [1] "TLSv1.2+" seems to
require openssl v1.1.1 at least.
I don't see it that way. Nmap test shows TLSv1.2 is supported, but
missing the desired ECDHE cipher suite. Also, some less stringent
clients in terms of ciphers do connect fine over TLS1.2
Can you try "TLSv1.1+" or
"TLSv1.2" instead?
Tried - didn't make a diff.
I guess the question here boils down to the following: if local OpenSSL
lists the ciphers as supported, why does a locally compiled Kamailio
doesn't support them? Is there a way to compile Kamailio's TLS module
differently to overcome this?
Thanks.
On Fri, Apr 14, 2023 at 2:34 PM Lukas Tribus
<lukas@ltri.eu<mailto:lukas@ltri.eu>> wrote:
Hello,
OS:
outdated Debian 8 Jessie
OpenSSL 1.0.1t 3 May 2016
openssl ciphers -v | grep 'ECDHE-RSA-AES256-GCM-SHA384'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
# kamailio -V
version: kamailio 5.5.6 (x86_64/linux) ad1244
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS,
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC,
F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX,
FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
USE_DST_BLOCKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE
1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
compiled on 21:08:20 Apr 13 2023 with gcc 4.9.2
modparam("tls", "cipher_list", "ALL")
method = TLSv1.2+
Elliptic Curve Diffie-Hellman (EDCH)-Ciphers are only supported in
OpenSSL 1.0.0e and later.
Any suggestions?
From the docs [1] "TLSv1.2+" seems to require openssl v1.1.1 at least.
Can you try "TLSv1.1+" or "TLSv1.2" instead?
Lukas
[1]
https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.tls_method
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to
sr-users-leave@lists.kamailio.org<mailto:sr-users-leave@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only
to the sender!
Edit mailing list options or unsubscribe:
567
days inactive
588
days old
5 comments
5 participants
participants (5)
-
Henning Westerholt -
Lukas Tribus -
Nick F -
Sergiu Pojoga -
Дилян Пала узов