[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?

Michael Jerris mike at jerris.com
Tue Sep 29 18:50:13 MSD 2015


No, its in the same file with ws.

> On Sep 29, 2015, at 10:16 AM, Victor Medina <victor.medina at cibersys.com> wrote:
> 
> Guys.
> 
> WSS is implemented on tport_tls.c right?
> 
> 2015-09-28 17:59 GMT-04:30 Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>>:
> If this is something that is broken or will soon be, it really needs to be filed in jira or no one will be looking at it.  If someone can work up a patch to fix this, that would be preferred.
> 
>> On Sep 28, 2015, at 6:09 PM, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>> 
>> Michael.
>> Im having a hard time trying to get development team to use verto
>> 
>> They insist on using The whole sip over ws approach since they have to Support a ios app built using cordova and Some libraries that uses sipjs.
>> 
>> My other concerns is that afaik browser will requiere pfs for signalling soon
>> 
>> As always thanks for Help and guidance!
>> El 28/09/2015 14:47, "Michael Jerris" <mike at jerris.com <mailto:mike at jerris.com>> escribió:
>> websocket proxy works with mod_verto fine.
>> 
>>> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>>> 
>>> Silly question....
>>> 
>>> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no tls) and let apache handle all tls; or there is some work involved in the Sip 2 Websocket that makes this not a recomended option?
>>> 
>>> 
>>> 
>>> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>>:
>>> Thanks!
>>> 
>>> Ill get a coffe! =)
>>> 
>>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>>:
>>> there was a fix for ec in wss at some point, I'd confirm this part isn't already fixed before you go too far
>>> 
>>> 
>>> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>>> Um....
>>> 
>>> Thinking... 
>>> Its a Debian 8, updated, 
>>> The fs is master, not the latest though... it is master from just about the time before 1.6 stable... so I probably should update...
>>> 
>>> Running sslscan on some machine:
>>> 
>>> 
>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>       Authority Information Access: 
>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>       Authority Information Access: 
>>> 
>>> 
>>> Running the same test on a recent built of v1.6 
>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git 6762f14 2015-09-03 20:36:52Z 64bit)
>>> 
>>> 
>>> 
>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>     Accepted  TLSv1  256 bits  AECDH-AES256-SHA
>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>     Accepted  TLSv1  128 bits  AECDH-AES128-SHA
>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>     Accepted  TLSv1  128 bits  SEED-SHA
>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>>>     Accepted  TLSv1  128 bits  AECDH-RC4-SHA
>>>     Accepted  TLSv1  128 bits  RC4-SHA
>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>     Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>> 
>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org <>>:
>>> Careful your distro may have disabled anything EC related.
>>> 
>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <victor.medina at cibersys.com <>> wrote:
>>> First of all, thanks you and Good morning!.
>>> 
>>> 
>>> Although I'm using:
>>> 
>>>  <param name="tls-version" value="tlsv1.2"/>
>>>  <param name="tls-ciphers" value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>> 
>>> 
>>> Im getting:
>>> 
>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : AES256-GCM-SHA384
>>> 
>>> Not bad, but not ECDHE.
>>> 
>>> Compared to our web server:
>>> 
>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>> 
>>> 
>>> 
>>> 
>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org <>>:
>>> tls-cipher param.
>>> 
>>> 
>>> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com <>> wrote:
>>> Hi guys!
>>> 
>>> Is there any parameter that can configure what ciphers are used on the WSS interface? 
>>> 
>>> Im am getting...
>>>  
>>> 
>>> WSS interface:
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : AES256-GCM-SHA384
>>> 
>>> 
>>> SIP interface, same channel:
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150929/6a954503/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list