Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[Freeswitch-users] Using Specific TLS Ciphers (1.10.7)


 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> freeSWITCH Users
View previous topic :: View next topic  
Author Message
mmeehan at djsequel.com
Guest
PostPosted: Thu Jul 14, 2022 11:00 pm    Post subject: [Freeswitch-users] Using Specific TLS Ciphers (1.10.7) Reply with quote
For everyone else’s benefit, this was sorted. I’ve found that I needed something set in both vars.xml:

<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=AES256-GCM-SHA384"/>

and the sip_profile I wanted to restrict the ciphers for:

<param name="tls-ciphers" value="$${sip_tls_ciphers}"/>

Thanks



From: Michael Meehan <mmeehan@djsequel.com>
Date: Friday, June 24, 2022 at 9:09 AM
To: freeswitch-users@lists.freeswitch.org <freeswitch-users@lists.freeswitch.org>
Subject: Using Specific TLS Ciphers (1.10.7)

We’ve been trying to prevent using specific ciphers, mainly Diffie-Hellman. According to the documentation I’ve seen and previous posts in this group, that should be accomplished by using something like this:

<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256"/>

This doesn’t work.

This specific cipher is offered in the CLIENT HELLO and shown as also supported from the SERVER HELLO response amongst others, however, we continue to see DH as being agreed upon:

tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events CONNECTING
tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events NEGOTIATING
tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events NEGOTIATING
tport_tls.c:617 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (name): ECDHE-RSA-AES128-GCM-SHA256
tport_tls.c:619 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (version): TLSv1/SSLv3
tport_tls.c:622 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (bits/alg_bits): 128/128
tport_tls.c:625 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (description): ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD

Other attempts have been made using the following, which also doesn’t appear to function as expected.

<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!DH:!ECDH:!LOW:!EXP:!MD5:@STRENGTH"/>

Any help is appreciated, thanks.

FreeSWITCH Version 1.10.7-release.13~64bit (-release.13 64bit)
CENTOS 7 3.10.0-1160.62.1.el7.x86_64
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> freeSWITCH Users All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services