[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?

Victor Medina victor.medina at cibersys.com
Tue Sep 29 18:16:46 MSD 2015


Guys.

WSS is implemented on tport_tls.c right?

2015-09-28 17:59 GMT-04:30 Michael Jerris <mike at jerris.com>:

> If this is something that is broken or will soon be, it really needs to be
> filed in jira or no one will be looking at it.  If someone can work up a
> patch to fix this, that would be preferred.
>
> On Sep 28, 2015, at 6:09 PM, Victor Medina <victor.medina at cibersys.com>
> wrote:
>
> Michael.
> Im having a hard time trying to get development team to use verto
>
> They insist on using The whole sip over ws approach since they have to
> Support a ios app built using cordova and Some libraries that uses sipjs.
>
> My other concerns is that afaik browser will requiere pfs for signalling
> soon
>
> As always thanks for Help and guidance!
> El 28/09/2015 14:47, "Michael Jerris" <mike at jerris.com> escribió:
>
>> websocket proxy works with mod_verto fine.
>>
>> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com>
>> wrote:
>>
>> Silly question....
>>
>> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no tls)
>> and let apache handle all tls; or there is some work involved in the Sip 2
>> Websocket that makes this not a recomended option?
>>
>>
>>
>> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
>>
>>> Thanks!
>>>
>>> Ill get a coffe! =)
>>>
>>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>>
>>>> there was a fix for ec in wss at some point, I'd confirm this part
>>>> isn't already fixed before you go too far
>>>>
>>>>
>>>> On Friday, September 25, 2015, Victor Medina <
>>>> victor.medina at cibersys.com> wrote:
>>>>
>>>>> Um....
>>>>>
>>>>> Thinking...
>>>>> Its a Debian 8, updated,
>>>>> The fs is master, not the latest though... it is master from just
>>>>> about the time before 1.6 stable... so I probably should update...
>>>>>
>>>>> Running sslscan on some machine:
>>>>>
>>>>>
>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>       Authority Information Access:
>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>       Authority Information Access:
>>>>>
>>>>>
>>>>> Running the same test on a recent built of v1.6
>>>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git
>>>>> 6762f14 2015-09-03 20:36:52Z 64bit)
>>>>>
>>>>>
>>>>>
>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>>     Accepted  TLSv1  256 bits  AECDH-AES256-SHA
>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>>     Accepted  TLSv1  128 bits  AECDH-AES128-SHA
>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>     Accepted  TLSv1  128 bits  SEED-SHA
>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>>>>>     Accepted  TLSv1  128 bits  AECDH-RC4-SHA
>>>>>     Accepted  TLSv1  128 bits  RC4-SHA
>>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>>     Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>
>>>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS
>>>>> binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>
>>>>>> Careful your distro may have disabled anything EC related.
>>>>>>
>>>>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>
>>>>>>> First of all, thanks you and Good morning!.
>>>>>>>
>>>>>>>
>>>>>>> Although I'm using:
>>>>>>>
>>>>>>>  <param name="tls-version" value="tlsv1.2"/>
>>>>>>>  <param name="tls-ciphers"
>>>>>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>>>>>
>>>>>>>
>>>>>>> Im getting:
>>>>>>>
>>>>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>>>>> Server public key is 2048 bit
>>>>>>> Secure Renegotiation IS supported
>>>>>>> Compression: NONE
>>>>>>> Expansion: NONE
>>>>>>> SSL-Session:
>>>>>>>     Protocol  : TLSv1.2
>>>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>>>
>>>>>>> Not bad, but not ECDHE.
>>>>>>>
>>>>>>> Compared to our web server:
>>>>>>>
>>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>>>>> Server public key is 2048 bit
>>>>>>> Secure Renegotiation IS supported
>>>>>>> Compression: NONE
>>>>>>> Expansion: NONE
>>>>>>> SSL-Session:
>>>>>>>     Protocol  : TLSv1.2
>>>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>>
>>>>>>>> tls-cipher param.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>
>>>>>>>>> Hi guys!
>>>>>>>>>
>>>>>>>>> Is there any parameter that can configure what ciphers are used on
>>>>>>>>> the WSS interface?
>>>>>>>>>
>>>>>>>>> Im am getting...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> WSS interface:
>>>>>>>>> SSL-Session:
>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> SIP interface, same channel:
>>>>>>>>> Expansion: NONE
>>>>>>>>> SSL-Session:
>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Víctor E. Medina M.
>>>>>>>>> Platform Architect / Chief Infrastructure
>>>>>>>>> +58424 291 4561
>>>>>>>>> BB #79A8AFA2
>>>>>>>>> @VMCibersys
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> *Brian West*
>>>>>>>> brian at freeswitch.org
>>>>>>>>
>>>>>>>>
>>>>>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>>>>>> http://www.freeswitchbook.com
>>>>>>>> http://www.freeswitchcookbook.com
>>>>>>>>
>>>>>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! |
>>>>>>>> Reddit: /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>>>>>
>>>>>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>>>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _________________________________________________________________________
>>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>>> consulting at freeswitch.org
>>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>>
>>>>>>>> Official FreeSWITCH Sites
>>>>>>>> http://www.freeswitch.org
>>>>>>>> http://confluence.freeswitch.org
>>>>>>>> http://www.cluecon.com
>>>>>>>>
>>>>>>>> FreeSWITCH-users mailing list
>>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>>> UNSUBSCRIBE:
>>>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>>> http://www.freeswitch.org
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Víctor E. Medina M.
>>>>>>> Platform Architect / Chief Infrastructure
>>>>>>> +58424 291 4561
>>>>>>> BB #79A8AFA2
>>>>>>> @VMCibersys
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________________________________
>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>> consulting at freeswitch.org
>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>
>>>>>>> Official FreeSWITCH Sites
>>>>>>> http://www.freeswitch.org
>>>>>>> http://confluence.freeswitch.org
>>>>>>> http://www.cluecon.com
>>>>>>>
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:
>>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>> http://www.freeswitch.org
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Brian West*
>>>>>> brian at freeswitch.org
>>>>>>
>>>>>>
>>>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>>>> http://www.freeswitchbook.com
>>>>>> http://www.freeswitchcookbook.com
>>>>>>
>>>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>>>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>>>
>>>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>> Víctor E. Medina M.
>>>>> Platform Architect / Chief Infrastructure
>>>>> +58424 291 4561
>>>>> BB #79A8AFA2
>>>>> @VMCibersys
>>>>>
>>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> Víctor E. Medina M.
>>> Platform Architect / Chief Infrastructure
>>> +58424 291 4561
>>> BB #79A8AFA2
>>> @VMCibersys
>>>
>>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561
>> BB #79A8AFA2
>> @VMCibersys
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 



Víctor E. Medina M.
Platform Architect / Chief Infrastructure
+58424 291 4561
BB #79A8AFA2
@VMCibersys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150929/d0d56b96/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list