Hi there,
I have set up a Kamailio 4.2.0 SIP server (centOS 7) for a university
project regarding WebRTC comunication. While kamailio handles the
signaling path I use the SIP.js demo phone js application (hosted on the
same machine as kamaillio) for actual WebRTC stuff.
For a deeper understanding and documetation purposes I have been trying
to sniff the traffic with wireshark but failed due to the fact that
kamailio uses Elliptic Curve Diffie Hellmann cipher suite (see wireshark
snippet below) which is not decryptable.
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 89
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 85
Version: TLS 1.2 (0x0303)
Random: b8916e4e0f7c712503a77afcf4c9228598092c166353be50...
Session ID Length: 32
Session ID: b0a31a6699a001b7991645dc61064ca4c4b073eff6913f26...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Compression Method: null (0)
Extensions Length: 13
Extension: renegotiation_info (len=1)
Extension: ec_point_formats (len=4)
I already tried importing captured SSLKEYLOG pre master secret from
chrome and private key file issued by letsencrypt without success.
On top of that I set this line
SSLCipherSuite
!DH:!ECDH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
in /etc/httpd/conf.d/ssl.conf and compiled openssl with no-ec no-dh
(which worked see below).
[admin@kamailio-sip ~]$ openssl ciphers
SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
[admin@kamailio-sip ~]$
Setting
modparam("tls", "cipher_list", "AESCCM")
(or different ciphers) in /etc/kamailio/kamailio.cfg seems to have no
effect on the actual negoiated cipher suite.
Am I missing something? Any help or pointers into the right direction
will be much appreciated.
Best regards,
Ilyas Keskin
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users