[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?
Victor Medina
victor.medina at cibersys.com
Sun Sep 27 16:56:54 MSD 2015
Silly question....
Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no tls)
and let apache handle all tls; or there is some work involved in the Sip 2
Websocket that makes this not a recomended option?
2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
> Thanks!
>
> Ill get a coffe! =)
>
> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com>:
>
>> there was a fix for ec in wss at some point, I'd confirm this part isn't
>> already fixed before you go too far
>>
>>
>> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com>
>> wrote:
>>
>>> Um....
>>>
>>> Thinking...
>>> Its a Debian 8, updated,
>>> The fs is master, not the latest though... it is master from just about
>>> the time before 1.6 stable... so I probably should update...
>>>
>>> Running sslscan on some machine:
>>>
>>>
>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>>> Accepted TLSv1 256 bits AES256-SHA
>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>> Accepted TLSv1 128 bits AES128-SHA
>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>> Authority Information Access:
>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>>> Accepted TLSv1 256 bits AES256-SHA
>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>> Accepted TLSv1 128 bits AES128-SHA
>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>> Authority Information Access:
>>>
>>>
>>> Running the same test on a recent built of v1.6
>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git
>>> 6762f14 2015-09-03 20:36:52Z 64bit)
>>>
>>>
>>>
>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>>> Accepted TLSv1 256 bits AECDH-AES256-SHA
>>> Accepted TLSv1 256 bits AES256-SHA
>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>> Accepted TLSv1 128 bits AECDH-AES128-SHA
>>> Accepted TLSv1 128 bits AES128-SHA
>>> Accepted TLSv1 128 bits SEED-SHA
>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>> Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
>>> Accepted TLSv1 128 bits AECDH-RC4-SHA
>>> Accepted TLSv1 128 bits RC4-SHA
>>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>>> Accepted TLSv1 112 bits AECDH-DES-CBC3-SHA
>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>>> Accepted TLSv1 256 bits AES256-SHA
>>> Accepted TLSv1 128 bits AES128-SHA
>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>
>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS
>>> binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>>
>>>
>>>
>>>
>>>
>>>
>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>
>>>> Careful your distro may have disabled anything EC related.
>>>>
>>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>>>> victor.medina at cibersys.com> wrote:
>>>>
>>>>> First of all, thanks you and Good morning!.
>>>>>
>>>>>
>>>>> Although I'm using:
>>>>>
>>>>> <param name="tls-version" value="tlsv1.2"/>
>>>>> <param name="tls-ciphers"
>>>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>>>
>>>>>
>>>>> Im getting:
>>>>>
>>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>>> Server public key is 2048 bit
>>>>> Secure Renegotiation IS supported
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> SSL-Session:
>>>>> Protocol : TLSv1.2
>>>>> Cipher : AES256-GCM-SHA384
>>>>>
>>>>> Not bad, but not ECDHE.
>>>>>
>>>>> Compared to our web server:
>>>>>
>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>>> Server public key is 2048 bit
>>>>> Secure Renegotiation IS supported
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> SSL-Session:
>>>>> Protocol : TLSv1.2
>>>>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>
>>>>>> tls-cipher param.
>>>>>>
>>>>>>
>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>
>>>>>>> Hi guys!
>>>>>>>
>>>>>>> Is there any parameter that can configure what ciphers are used on
>>>>>>> the WSS interface?
>>>>>>>
>>>>>>> Im am getting...
>>>>>>>
>>>>>>>
>>>>>>> WSS interface:
>>>>>>> SSL-Session:
>>>>>>> Protocol : TLSv1.2
>>>>>>> Cipher : AES256-GCM-SHA384
>>>>>>>
>>>>>>>
>>>>>>> SIP interface, same channel:
>>>>>>> Expansion: NONE
>>>>>>> SSL-Session:
>>>>>>> Protocol : TLSv1.2
>>>>>>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Víctor E. Medina M.
>>>>>>> Platform Architect / Chief Infrastructure
>>>>>>> +58424 291 4561
>>>>>>> BB #79A8AFA2
>>>>>>> @VMCibersys
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Brian West*
>>>>>> brian at freeswitch.org
>>>>>>
>>>>>>
>>>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>>>> http://www.freeswitchbook.com
>>>>>> http://www.freeswitchcookbook.com
>>>>>>
>>>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>>>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>>>
>>>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>>>
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>> Víctor E. Medina M.
>>>>> Platform Architect / Chief Infrastructure
>>>>> +58424 291 4561
>>>>> BB #79A8AFA2
>>>>> @VMCibersys
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Brian West*
>>>> brian at freeswitch.org
>>>>
>>>>
>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>> http://www.freeswitchbook.com
>>>> http://www.freeswitchcookbook.com
>>>>
>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>
>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> Víctor E. Medina M.
>>> Platform Architect / Chief Infrastructure
>>> +58424 291 4561
>>> BB #79A8AFA2
>>> @VMCibersys
>>>
>>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
>
>
>
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561
> BB #79A8AFA2
> @VMCibersys
>
>
--
Víctor E. Medina M.
Platform Architect / Chief Infrastructure
+58424 291 4561
BB #79A8AFA2
@VMCibersys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150927/440282f0/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list