On May 23, 2014, at 12:43 PM, James Cloos <cl...@jhcloos.com> wrote:
>>>>>> "FC" == Frank Carmickle <fr...@carmickle.com> writes: > > JC>> If you record the full packet trace, wireshark can use your privkey.pem > JC>> to decode the tls handshake, recover the session key, and use that to > JC>> decode the payload packets. > > FC> This is true if you are not using an ephemeral Diffie Hellman cypher > suite. > > Good point. A quick test shows that contacting asterisk-11 over tls/tcp > negotiates rsa key exchange; kamailio does better and agrees to ECDHE-RSA. > > If the trace is of kama talking to asterisk ephemeral is not likely. > Asterisk-12 may be better; I cannot test right now. Nor can I test > freeswitch. > Freeswitch does support most new features of openssl 1.0.1 branch. I believe it defaults to tls1.1 currently but I believe the goal is to only enable tls1.2, with ECDHE+AES128 by default. You can certainly ask it to do what ever openssl supports, except that right now ECDHE is hardcoded to p256. --FC _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users