Hello,
Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc.
Thanks in advance,
Hi,
Are you looking for a way that does not require access to the Kamailio config?
If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity?
On 8/11/20 9:44 PM, David Cunningham wrote:
Hello,
Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc.
Thanks in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
for sure you can test if a specific tls version is supported, like:
openssl s_client -tls1_3 ...
In Kamailio one can restrict what tls versions to enable/allow via modparam or tls.cfg, but the support of tls versions is coming from libssl, so it is a matter of what libssl version is used and the distro (as I noticed some distros package libssl with older protocols disabled).
Cheers, Daniel
On 12.08.20 04:01, Alex Balashov wrote:
Hi,
Are you looking for a way that does not require access to the Kamailio config?
If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity?
On 8/11/20 9:44 PM, David Cunningham wrote:
Hello,
Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc.
Thanks in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Alex and Daniel,
Thanks for that. If we test with -tls1 we get:
Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 6063 bytes and written 231 bytes Verification error: certificate has expired --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3 Session-ID-ctx: Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8 @.rV.x&y....)... ... etc...
But with -tls1_1 we get:
CONNECTED(00000005) 139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 74 bytes and written 133 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 ... etc...
So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions?
Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working?
Thanks in advance!
On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
for sure you can test if a specific tls version is supported, like:
openssl s_client -tls1_3 ...
In Kamailio one can restrict what tls versions to enable/allow via modparam or tls.cfg, but the support of tls versions is coming from libssl, so it is a matter of what libssl version is used and the distro (as I noticed some distros package libssl with older protocols disabled).
Cheers, Daniel
On 12.08.20 04:01, Alex Balashov wrote:
Hi,
Are you looking for a way that does not require access to the Kamailio config?
If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity?
On 8/11/20 9:44 PM, David Cunningham wrote:
Hello,
Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc.
Thanks in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
try "method = TLSv1+“ in the tls.cfg of Kamailio, as mentioned in the module docs.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: sr-users sr-users-bounces@lists.kamailio.org On Behalf Of David Cunningham Sent: Thursday, August 13, 2020 3:25 AM To: Daniel-Constantin Mierla miconda@gmail.com; Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] How to check TLS versions available
Hi Alex and Daniel,
Thanks for that. If we test with -tls1 we get:
Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 6063 bytes and written 231 bytes Verification error: certificate has expired --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3 Session-ID-ctx: Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8 @.rV.x&y....)... ... etc...
But with -tls1_1 we get:
CONNECTED(00000005) 139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 74 bytes and written 133 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 ... etc...
So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions?
Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working?
Thanks in advance!
On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <miconda@gmail.commailto:miconda@gmail.com> wrote: Hello,
for sure you can test if a specific tls version is supported, like:
openssl s_client -tls1_3 ...
In Kamailio one can restrict what tls versions to enable/allow via modparam or tls.cfg, but the support of tls versions is coming from libssl, so it is a matter of what libssl version is used and the distro (as I noticed some distros package libssl with older protocols disabled).
Cheers, Daniel
On 12.08.20 04:01, Alex Balashov wrote:
Hi,
Are you looking for a way that does not require access to the Kamailio config?
If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity?
On 8/11/20 9:44 PM, David Cunningham wrote:
Hello,
Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc.
Thanks in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla -- www.asipto.comhttp://www.asipto.com www.twitter.com/micondahttp://www.twitter.com/miconda -- www.linkedin.com/in/micondahttp://www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Hi Henning, thanks for that. Somehow I misread the docs before.
On Fri, 14 Aug 2020 at 23:17, Henning Westerholt hw@skalatan.de wrote:
Hello,
try "method = TLSv1+“ in the tls.cfg of Kamailio, as mentioned in the module docs.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* sr-users sr-users-bounces@lists.kamailio.org *On Behalf Of *David Cunningham *Sent:* Thursday, August 13, 2020 3:25 AM *To:* Daniel-Constantin Mierla miconda@gmail.com; Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* Re: [SR-Users] How to check TLS versions available
Hi Alex and Daniel,
Thanks for that. If we test with -tls1 we get:
Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: X25519, 253 bits
SSL handshake has read 6063 bytes and written 231 bytes Verification error: certificate has expired
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3 Session-ID-ctx: Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8 @.rV.x&y....)...
... etc...
But with -tls1_1 we get:
CONNECTED(00000005) 139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 74 bytes and written 133 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1
... etc...
So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions?
Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working?
Thanks in advance!
On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
for sure you can test if a specific tls version is supported, like:
openssl s_client -tls1_3 ...
In Kamailio one can restrict what tls versions to enable/allow via modparam or tls.cfg, but the support of tls versions is coming from libssl, so it is a matter of what libssl version is used and the distro (as I noticed some distros package libssl with older protocols disabled).
Cheers, Daniel
On 12.08.20 04:01, Alex Balashov wrote:
Hi,
Are you looking for a way that does not require access to the Kamailio config?
If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity?
On 8/11/20 9:44 PM, David Cunningham wrote:
Hello,
Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc.
Thanks in advance,
-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
-
Alex Balashov -
Daniel-Constantin Mierla -
David Cunningham -
Henning Westerholt