[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?

Victor Medina victor.medina at cibersys.com
Tue Sep 29 21:45:56 MSD 2015


btw... I get this beautiful cipher on 5061:

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384



2015-09-29 13:10 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:

> Hi!
>
> Im starting to feel like this...
>
>
> http://herbookthoughts.reads-it.com/wp-content/uploads/2014/06/d6a1143f571184db25f94613edd43b40af6d3a629221aba00d9efdcfef5efd84.jpg
> =)
>
>
> I tried a few things to get ECDH or a DH Kx working on the wss, but wasn't
> able to get it working, Im only getting RSA Kx.
>
> On ws.c I tried substituting the SSLv23_server_method() with the newer
> TLSv1_server_method() (less compatible, I know) but I always get the same
> ciphers and none of them is ECDH or DH.
>
> I even tried disabling
>
> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv2);
> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv3);
> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1);
> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_COMPRESSION);
>
> and played with SSL_CTX_set_cipher_list(ws_globals.ssl_ctx,
> "HIGH:!DSS:!aNULL at STRENGTH"); to see if I could get a different set of
> ciphers(I tried: EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
> EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS 'cause its
> what my webserver uses) but always got the same results:
>
> using SSLSCAN:  TLSv1  256 bits  AES256-SHA
> using openssl s_client/debian 8:     TLSv1.2 AES256-GCM-SHA384
>
> My vars.xml looks like:
>
> 404   <X-PRE-PROCESS cmd="set"
> data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
>
> 416 <X-PRE-PROCESS cmd="set"
> data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
>
>
>
> Time for a Jira bug fill?
>
> As usual thanks for everything
>
>
>
>
> 2015-09-29 10:20 GMT-04:30 Michael Jerris <mike at jerris.com>:
>
>> No, its in the same file with ws.
>>
>> On Sep 29, 2015, at 10:16 AM, Victor Medina <victor.medina at cibersys.com>
>> wrote:
>>
>> Guys.
>>
>> WSS is implemented on tport_tls.c right?
>>
>> 2015-09-28 17:59 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>
>>> If this is something that is broken or will soon be, it really needs to
>>> be filed in jira or no one will be looking at it.  If someone can work up a
>>> patch to fix this, that would be preferred.
>>>
>>> On Sep 28, 2015, at 6:09 PM, Victor Medina <victor.medina at cibersys.com>
>>> wrote:
>>>
>>> Michael.
>>> Im having a hard time trying to get development team to use verto
>>>
>>> They insist on using The whole sip over ws approach since they have to
>>> Support a ios app built using cordova and Some libraries that uses sipjs.
>>>
>>> My other concerns is that afaik browser will requiere pfs for signalling
>>> soon
>>>
>>> As always thanks for Help and guidance!
>>> El 28/09/2015 14:47, "Michael Jerris" <mike at jerris.com> escribió:
>>>
>>>> websocket proxy works with mod_verto fine.
>>>>
>>>> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com>
>>>> wrote:
>>>>
>>>> Silly question....
>>>>
>>>> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no
>>>> tls) and let apache handle all tls; or there is some work involved in the
>>>> Sip 2 Websocket that makes this not a recomended option?
>>>>
>>>>
>>>>
>>>> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
>>>>
>>>>> Thanks!
>>>>>
>>>>> Ill get a coffe! =)
>>>>>
>>>>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>>>>
>>>>>> there was a fix for ec in wss at some point, I'd confirm this part
>>>>>> isn't already fixed before you go too far
>>>>>>
>>>>>>
>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>
>>>>>>> Um....
>>>>>>>
>>>>>>> Thinking...
>>>>>>> Its a Debian 8, updated,
>>>>>>> The fs is master, not the latest though... it is master from just
>>>>>>> about the time before 1.6 stable... so I probably should update...
>>>>>>>
>>>>>>> Running sslscan on some machine:
>>>>>>>
>>>>>>>
>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>>>>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>>>       Authority Information Access:
>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>>>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>>>       Authority Information Access:
>>>>>>>
>>>>>>>
>>>>>>> Running the same test on a recent built of v1.6
>>>>>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git
>>>>>>> 6762f14 2015-09-03 20:36:52Z 64bit)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep
>>>>>>> Acce
>>>>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>>>>     Accepted  TLSv1  256 bits  AECDH-AES256-SHA
>>>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>>>>     Accepted  TLSv1  128 bits  AECDH-AES128-SHA
>>>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>>>     Accepted  TLSv1  128 bits  SEED-SHA
>>>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>>>>>>>     Accepted  TLSv1  128 bits  AECDH-RC4-SHA
>>>>>>>     Accepted  TLSv1  128 bits  RC4-SHA
>>>>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>>>>     Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
>>>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep
>>>>>>> Acce
>>>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>>>
>>>>>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS
>>>>>>> binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>>
>>>>>>>> Careful your distro may have disabled anything EC related.
>>>>>>>>
>>>>>>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>
>>>>>>>>> First of all, thanks you and Good morning!.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Although I'm using:
>>>>>>>>>
>>>>>>>>>  <param name="tls-version" value="tlsv1.2"/>
>>>>>>>>>  <param name="tls-ciphers"
>>>>>>>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Im getting:
>>>>>>>>>
>>>>>>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>>>>>>> Server public key is 2048 bit
>>>>>>>>> Secure Renegotiation IS supported
>>>>>>>>> Compression: NONE
>>>>>>>>> Expansion: NONE
>>>>>>>>> SSL-Session:
>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>>>>>
>>>>>>>>> Not bad, but not ECDHE.
>>>>>>>>>
>>>>>>>>> Compared to our web server:
>>>>>>>>>
>>>>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>> Server public key is 2048 bit
>>>>>>>>> Secure Renegotiation IS supported
>>>>>>>>> Compression: NONE
>>>>>>>>> Expansion: NONE
>>>>>>>>> SSL-Session:
>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>>>>
>>>>>>>>>> tls-cipher param.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi guys!
>>>>>>>>>>>
>>>>>>>>>>> Is there any parameter that can configure what ciphers are used
>>>>>>>>>>> on the WSS interface?
>>>>>>>>>>>
>>>>>>>>>>> Im am getting...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> WSS interface:
>>>>>>>>>>> SSL-Session:
>>>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> SIP interface, same channel:
>>>>>>>>>>> Expansion: NONE
>>>>>>>>>>> SSL-Session:
>>>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>>>
>>>>>>>>>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
>
>
>
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561
> BB #79A8AFA2
> @VMCibersys
>
>


-- 



Víctor E. Medina M.
Platform Architect / Chief Infrastructure
+58424 291 4561
BB #79A8AFA2
@VMCibersys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150929/13cb4c61/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list