mmeehan at djsequel.com Guest
|
Posted: Sat Jun 25, 2022 6:00 am Post subject: [Freeswitch-users] Using Specific TLS Ciphers (1.10.7) |
|
|
We’ve been trying to prevent using specific ciphers, mainly Diffie-Hellman. According to the documentation I’ve seen and previous posts in this group, that should be accomplished by using something like this:
<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256"/>
This doesn’t work.
This specific cipher is offered in the CLIENT HELLO and shown as also supported from the SERVER HELLO response amongst others, however, we continue to see DH as being agreed upon:
tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events CONNECTING
tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events NEGOTIATING
tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events NEGOTIATING
tport_tls.c:617 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (name): ECDHE-RSA-AES128-GCM-SHA256
tport_tls.c:619 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (version): TLSv1/SSLv3
tport_tls.c:622 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (bits/alg_bits): 128/128
tport_tls.c:625 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (description): ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
Other attempts have been made using the following, which also doesn’t appear to function as expected.
<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!DH:!ECDH:!LOW:!EXP:!MD5:@STRENGTH"/>
Any help is appreciated, thanks.
FreeSWITCH Version 1.10.7-release.13~64bit (-release.13 64bit)
CENTOS 7 3.10.0-1160.62.1.el7.x86_64 |
|