[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?
Victor Medina
victor.medina at cibersys.com
Tue Sep 29 21:40:21 MSD 2015
Hi!
Im starting to feel like this...
http://herbookthoughts.reads-it.com/wp-content/uploads/2014/06/d6a1143f571184db25f94613edd43b40af6d3a629221aba00d9efdcfef5efd84.jpg
=)
I tried a few things to get ECDH or a DH Kx working on the wss, but wasn't
able to get it working, Im only getting RSA Kx.
On ws.c I tried substituting the SSLv23_server_method() with the newer
TLSv1_server_method() (less compatible, I know) but I always get the same
ciphers and none of them is ECDH or DH.
I even tried disabling
SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1);
SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_COMPRESSION);
and played with SSL_CTX_set_cipher_list(ws_globals.ssl_ctx,
"HIGH:!DSS:!aNULL at STRENGTH"); to see if I could get a different set of
ciphers(I tried: EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS 'cause its
what my webserver uses) but always got the same results:
using SSLSCAN: TLSv1 256 bits AES256-SHA
using openssl s_client/debian 8: TLSv1.2 AES256-GCM-SHA384
My vars.xml looks like:
404 <X-PRE-PROCESS cmd="set"
data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
416 <X-PRE-PROCESS cmd="set"
data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
Time for a Jira bug fill?
As usual thanks for everything
2015-09-29 10:20 GMT-04:30 Michael Jerris <mike at jerris.com>:
> No, its in the same file with ws.
>
> On Sep 29, 2015, at 10:16 AM, Victor Medina <victor.medina at cibersys.com>
> wrote:
>
> Guys.
>
> WSS is implemented on tport_tls.c right?
>
> 2015-09-28 17:59 GMT-04:30 Michael Jerris <mike at jerris.com>:
>
>> If this is something that is broken or will soon be, it really needs to
>> be filed in jira or no one will be looking at it. If someone can work up a
>> patch to fix this, that would be preferred.
>>
>> On Sep 28, 2015, at 6:09 PM, Victor Medina <victor.medina at cibersys.com>
>> wrote:
>>
>> Michael.
>> Im having a hard time trying to get development team to use verto
>>
>> They insist on using The whole sip over ws approach since they have to
>> Support a ios app built using cordova and Some libraries that uses sipjs.
>>
>> My other concerns is that afaik browser will requiere pfs for signalling
>> soon
>>
>> As always thanks for Help and guidance!
>> El 28/09/2015 14:47, "Michael Jerris" <mike at jerris.com> escribió:
>>
>>> websocket proxy works with mod_verto fine.
>>>
>>> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com>
>>> wrote:
>>>
>>> Silly question....
>>>
>>> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no
>>> tls) and let apache handle all tls; or there is some work involved in the
>>> Sip 2 Websocket that makes this not a recomended option?
>>>
>>>
>>>
>>> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
>>>
>>>> Thanks!
>>>>
>>>> Ill get a coffe! =)
>>>>
>>>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>>>
>>>>> there was a fix for ec in wss at some point, I'd confirm this part
>>>>> isn't already fixed before you go too far
>>>>>
>>>>>
>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>> victor.medina at cibersys.com> wrote:
>>>>>
>>>>>> Um....
>>>>>>
>>>>>> Thinking...
>>>>>> Its a Debian 8, updated,
>>>>>> The fs is master, not the latest though... it is master from just
>>>>>> about the time before 1.6 stable... so I probably should update...
>>>>>>
>>>>>> Running sslscan on some machine:
>>>>>>
>>>>>>
>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>>>>>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>>>>>> Accepted TLSv1 256 bits AES256-SHA
>>>>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>>>>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>>>>> Accepted TLSv1 128 bits AES128-SHA
>>>>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>>>>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>>>>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>>>> Authority Information Access:
>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>>>>>> Accepted TLSv1 256 bits AES256-SHA
>>>>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>>>>> Accepted TLSv1 128 bits AES128-SHA
>>>>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>>>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>>>> Authority Information Access:
>>>>>>
>>>>>>
>>>>>> Running the same test on a recent built of v1.6
>>>>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git
>>>>>> 6762f14 2015-09-03 20:36:52Z 64bit)
>>>>>>
>>>>>>
>>>>>>
>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep
>>>>>> Acce
>>>>>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>>>>>> Accepted TLSv1 256 bits AECDH-AES256-SHA
>>>>>> Accepted TLSv1 256 bits AES256-SHA
>>>>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>>>>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>>>>> Accepted TLSv1 128 bits AECDH-AES128-SHA
>>>>>> Accepted TLSv1 128 bits AES128-SHA
>>>>>> Accepted TLSv1 128 bits SEED-SHA
>>>>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>>>>> Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
>>>>>> Accepted TLSv1 128 bits AECDH-RC4-SHA
>>>>>> Accepted TLSv1 128 bits RC4-SHA
>>>>>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>>>>>> Accepted TLSv1 112 bits AECDH-DES-CBC3-SHA
>>>>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep
>>>>>> Acce
>>>>>> Accepted TLSv1 256 bits AES256-SHA
>>>>>> Accepted TLSv1 128 bits AES128-SHA
>>>>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>>>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>>>>
>>>>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS
>>>>>> binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>
>>>>>>> Careful your distro may have disabled anything EC related.
>>>>>>>
>>>>>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>
>>>>>>>> First of all, thanks you and Good morning!.
>>>>>>>>
>>>>>>>>
>>>>>>>> Although I'm using:
>>>>>>>>
>>>>>>>> <param name="tls-version" value="tlsv1.2"/>
>>>>>>>> <param name="tls-ciphers"
>>>>>>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>>>>>>
>>>>>>>>
>>>>>>>> Im getting:
>>>>>>>>
>>>>>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>>>>>> Server public key is 2048 bit
>>>>>>>> Secure Renegotiation IS supported
>>>>>>>> Compression: NONE
>>>>>>>> Expansion: NONE
>>>>>>>> SSL-Session:
>>>>>>>> Protocol : TLSv1.2
>>>>>>>> Cipher : AES256-GCM-SHA384
>>>>>>>>
>>>>>>>> Not bad, but not ECDHE.
>>>>>>>>
>>>>>>>> Compared to our web server:
>>>>>>>>
>>>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>> Server public key is 2048 bit
>>>>>>>> Secure Renegotiation IS supported
>>>>>>>> Compression: NONE
>>>>>>>> Expansion: NONE
>>>>>>>> SSL-Session:
>>>>>>>> Protocol : TLSv1.2
>>>>>>>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>>>
>>>>>>>>> tls-cipher param.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi guys!
>>>>>>>>>>
>>>>>>>>>> Is there any parameter that can configure what ciphers are used
>>>>>>>>>> on the WSS interface?
>>>>>>>>>>
>>>>>>>>>> Im am getting...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> WSS interface:
>>>>>>>>>> SSL-Session:
>>>>>>>>>> Protocol : TLSv1.2
>>>>>>>>>> Cipher : AES256-GCM-SHA384
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> SIP interface, same channel:
>>>>>>>>>> Expansion: NONE
>>>>>>>>>> SSL-Session:
>>>>>>>>>> Protocol : TLSv1.2
>>>>>>>>>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>>
>>>>>>>>>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
Víctor E. Medina M.
Platform Architect / Chief Infrastructure
+58424 291 4561
BB #79A8AFA2
@VMCibersys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150929/de729882/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list