[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?

Victor Medina vittico at gmail.com
Tue Sep 29 00:05:15 MSD 2015


Any news on PFS TLS ciphers for the standard SIP/WS binding?  =)



Sin mas a que hacer referencia,

Victor Medina

On Mon, Sep 28, 2015 at 2:46 PM, Michael Jerris <mike at jerris.com> wrote:

> websocket proxy works with mod_verto fine.
>
> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com>
> wrote:
>
> Silly question....
>
> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no tls)
> and let apache handle all tls; or there is some work involved in the Sip 2
> Websocket that makes this not a recomended option?
>
>
>
> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
>
>> Thanks!
>>
>> Ill get a coffe! =)
>>
>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>
>>> there was a fix for ec in wss at some point, I'd confirm this part isn't
>>> already fixed before you go too far
>>>
>>>
>>> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com>
>>> wrote:
>>>
>>>> Um....
>>>>
>>>> Thinking...
>>>> Its a Debian 8, updated,
>>>> The fs is master, not the latest though... it is master from just about
>>>> the time before 1.6 stable... so I probably should update...
>>>>
>>>> Running sslscan on some machine:
>>>>
>>>>
>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>       Authority Information Access:
>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>       Authority Information Access:
>>>>
>>>>
>>>> Running the same test on a recent built of v1.6
>>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git
>>>> 6762f14 2015-09-03 20:36:52Z 64bit)
>>>>
>>>>
>>>>
>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>     Accepted  TLSv1  256 bits  AECDH-AES256-SHA
>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>     Accepted  TLSv1  128 bits  AECDH-AES128-SHA
>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>     Accepted  TLSv1  128 bits  SEED-SHA
>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>>>>     Accepted  TLSv1  128 bits  AECDH-RC4-SHA
>>>>     Accepted  TLSv1  128 bits  RC4-SHA
>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>     Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>
>>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS
>>>> binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>
>>>>> Careful your distro may have disabled anything EC related.
>>>>>
>>>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>>>>> victor.medina at cibersys.com> wrote:
>>>>>
>>>>>> First of all, thanks you and Good morning!.
>>>>>>
>>>>>>
>>>>>> Although I'm using:
>>>>>>
>>>>>>  <param name="tls-version" value="tlsv1.2"/>
>>>>>>  <param name="tls-ciphers"
>>>>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>>>>
>>>>>>
>>>>>> Im getting:
>>>>>>
>>>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>>>> Server public key is 2048 bit
>>>>>> Secure Renegotiation IS supported
>>>>>> Compression: NONE
>>>>>> Expansion: NONE
>>>>>> SSL-Session:
>>>>>>     Protocol  : TLSv1.2
>>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>>
>>>>>> Not bad, but not ECDHE.
>>>>>>
>>>>>> Compared to our web server:
>>>>>>
>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>>>> Server public key is 2048 bit
>>>>>> Secure Renegotiation IS supported
>>>>>> Compression: NONE
>>>>>> Expansion: NONE
>>>>>> SSL-Session:
>>>>>>     Protocol  : TLSv1.2
>>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>
>>>>>>> tls-cipher param.
>>>>>>>
>>>>>>>
>>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>
>>>>>>>> Hi guys!
>>>>>>>>
>>>>>>>> Is there any parameter that can configure what ciphers are used on
>>>>>>>> the WSS interface?
>>>>>>>>
>>>>>>>> Im am getting...
>>>>>>>>
>>>>>>>>
>>>>>>>> WSS interface:
>>>>>>>> SSL-Session:
>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>>>>
>>>>>>>>
>>>>>>>> SIP interface, same channel:
>>>>>>>> Expansion: NONE
>>>>>>>> SSL-Session:
>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Víctor E. Medina M.
>>>>>>>> Platform Architect / Chief Infrastructure
>>>>>>>> +58424 291 4561
>>>>>>>> BB #79A8AFA2
>>>>>>>> @VMCibersys
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> *Brian West*
>>>>>>> brian at freeswitch.org
>>>>>>>
>>>>>>>
>>>>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>>>>> http://www.freeswitchbook.com
>>>>>>> http://www.freeswitchcookbook.com
>>>>>>>
>>>>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>>>>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>>>>
>>>>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________________________________
>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>> consulting at freeswitch.org
>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>
>>>>>>> Official FreeSWITCH Sites
>>>>>>> http://www.freeswitch.org
>>>>>>> http://confluence.freeswitch.org
>>>>>>> http://www.cluecon.com
>>>>>>>
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:
>>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>> http://www.freeswitch.org
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>>>>>>
>>>>>> Víctor E. Medina M.
>>>>>> Platform Architect / Chief Infrastructure
>>>>>> +58424 291 4561
>>>>>> BB #79A8AFA2
>>>>>> @VMCibersys
>>>>>>
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Brian West*
>>>>> brian at freeswitch.org
>>>>>
>>>>>
>>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>>> http://www.freeswitchbook.com
>>>>> http://www.freeswitchcookbook.com
>>>>>
>>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>>
>>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>>
>>>> Víctor E. Medina M.
>>>> Platform Architect / Chief Infrastructure
>>>> +58424 291 4561
>>>> BB #79A8AFA2
>>>> @VMCibersys
>>>>
>>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561
>> BB #79A8AFA2
>> @VMCibersys
>>
>>
>
>
> --
>
>
>
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561
> BB #79A8AFA2
> @VMCibersys
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150928/1b02e289/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list