[SR-Users] Cannot disable EC Diffie Hellman cipher suite

Thu, 23 Nov 2017 13:44:49 -0800 

Hi there,
I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a university project regarding WebRTC comunication. While kamailio handles the signaling path I use the SIP.js demo phone js application (hosted on the same machine as kamaillio) for actual WebRTC stuff. For a deeper understanding and documetation purposes I have been trying to sniff the traffic with wireshark but failed due to the fact that kamailio uses Elliptic Curve Diffie Hellmann cipher suite (see wireshark snippet below) which is not decryptable. 

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 89
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 85
            Version: TLS 1.2 (0x0303)
            Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
            Session ID Length: 32
            Session ID: b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Compression Method: null (0)
            Extensions Length: 13
            Extension: renegotiation_info (len=1)
            Extension: ec_point_formats (len=4)


I already tried importing captured SSLKEYLOG pre master secret from 
chrome and private key file issued by letsencrypt without success.


On top of that I set this line


    SSLCipherSuite 
!DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL



in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh 
(which worked see below).


[admin@kamailio-sip ~]$ openssl ciphers
SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
[admin@kamailio-sip ~]$


Setting

    modparam("tls", "cipher_list", "AESCCM")


(or different ciphers) in /etc/kamailio/kamailio.cfg seems to have no 
effect on the actual negoiated cipher suite.



Am I missing something? Any help or pointers into the right direction 
will be much appreciated.



Best regards,

Ilyas Keskin





_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users






















					Reply via email to