[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?
Michael Jerris
mike at jerris.com
Tue Sep 29 02:29:47 MSD 2015
If this is something that is broken or will soon be, it really needs to be filed in jira or no one will be looking at it. If someone can work up a patch to fix this, that would be preferred.
> On Sep 28, 2015, at 6:09 PM, Victor Medina <victor.medina at cibersys.com> wrote:
>
> Michael.
> Im having a hard time trying to get development team to use verto
>
> They insist on using The whole sip over ws approach since they have to Support a ios app built using cordova and Some libraries that uses sipjs.
>
> My other concerns is that afaik browser will requiere pfs for signalling soon
>
> As always thanks for Help and guidance!
> El 28/09/2015 14:47, "Michael Jerris" <mike at jerris.com <mailto:mike at jerris.com>> escribió:
> websocket proxy works with mod_verto fine.
>
>> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>>
>> Silly question....
>>
>> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no tls) and let apache handle all tls; or there is some work involved in the Sip 2 Websocket that makes this not a recomended option?
>>
>>
>>
>> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>>:
>> Thanks!
>>
>> Ill get a coffe! =)
>>
>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>>:
>> there was a fix for ec in wss at some point, I'd confirm this part isn't already fixed before you go too far
>>
>>
>> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>> Um....
>>
>> Thinking...
>> Its a Debian 8, updated,
>> The fs is master, not the latest though... it is master from just about the time before 1.6 stable... so I probably should update...
>>
>> Running sslscan on some machine:
>>
>>
>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>> Accepted TLSv1 256 bits AES256-SHA
>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>> Accepted TLSv1 128 bits AES128-SHA
>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>> Accepted TLSv1 112 bits DES-CBC3-SHA
>> Authority Information Access:
>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>> Accepted TLSv1 256 bits AES256-SHA
>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>> Accepted TLSv1 128 bits AES128-SHA
>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>> Accepted TLSv1 112 bits DES-CBC3-SHA
>> Authority Information Access:
>>
>>
>> Running the same test on a recent built of v1.6
>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git 6762f14 2015-09-03 20:36:52Z 64bit)
>>
>>
>>
>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>> Accepted TLSv1 256 bits AECDH-AES256-SHA
>> Accepted TLSv1 256 bits AES256-SHA
>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>> Accepted TLSv1 128 bits AECDH-AES128-SHA
>> Accepted TLSv1 128 bits AES128-SHA
>> Accepted TLSv1 128 bits SEED-SHA
>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>> Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
>> Accepted TLSv1 128 bits AECDH-RC4-SHA
>> Accepted TLSv1 128 bits RC4-SHA
>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>> Accepted TLSv1 112 bits AECDH-DES-CBC3-SHA
>> Accepted TLSv1 112 bits DES-CBC3-SHA
>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>> Accepted TLSv1 256 bits AES256-SHA
>> Accepted TLSv1 128 bits AES128-SHA
>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>
>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>
>>
>>
>>
>>
>>
>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org <>>:
>> Careful your distro may have disabled anything EC related.
>>
>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <victor.medina at cibersys.com <>> wrote:
>> First of all, thanks you and Good morning!.
>>
>>
>> Although I'm using:
>>
>> <param name="tls-version" value="tlsv1.2"/>
>> <param name="tls-ciphers" value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>
>>
>> Im getting:
>>
>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : AES256-GCM-SHA384
>>
>> Not bad, but not ECDHE.
>>
>> Compared to our web server:
>>
>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>
>>
>>
>>
>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org <>>:
>> tls-cipher param.
>>
>>
>> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com <>> wrote:
>> Hi guys!
>>
>> Is there any parameter that can configure what ciphers are used on the WSS interface?
>>
>> Im am getting...
>>
>>
>> WSS interface:
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : AES256-GCM-SHA384
>>
>>
>> SIP interface, same channel:
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561 <>
>> BB #79A8AFA2
>> @VMCibersys
>>
>>
>>
>> --
>> Brian West
>> brian at freeswitch.org <>
>>
>> Twitter: @FreeSWITCH , @briankwest
>> http://www.freeswitchbook.com <http://www.freeswitchbook.com/>
>> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/>
>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit: /r/freeswitch <https://www.reddit.com/r/freeswitch>
>> T:+19184209001 <tel:%2B19184209001> | F:+19184209002 <tel:%2B19184209002> | M:+1918424WEST (9378)
>> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <>
>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>> http://www.cluecon.com <http://www.cluecon.com/>
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561 <>
>> BB #79A8AFA2
>> @VMCibersys
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <>
>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>> http://www.cluecon.com <http://www.cluecon.com/>
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>
>>
>>
>> --
>> Brian West
>> brian at freeswitch.org <>
>>
>> Twitter: @FreeSWITCH , @briankwest
>> http://www.freeswitchbook.com <http://www.freeswitchbook.com/>
>> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/>
>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit: /r/freeswitch <https://www.reddit.com/r/freeswitch>
>> T:+19184209001 <tel:%2B19184209001> | F:+19184209002 <tel:%2B19184209002> | M:+1918424WEST (9378)
>> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <>
>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>> http://www.cluecon.com <http://www.cluecon.com/>
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561 <>
>> BB #79A8AFA2
>> @VMCibersys
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>> http://www.cluecon.com <http://www.cluecon.com/>
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561 <>
>> BB #79A8AFA2
>> @VMCibersys
>>
>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561 <>
>> BB #79A8AFA2
>> @VMCibersys
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>> http://www.cluecon.com <http://www.cluecon.com/>
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150928/99979e8e/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list