[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?

Michael Jerris mike at jerris.com
Tue Sep 29 21:55:50 MSD 2015


might need some more code to support the ecdh stuff like we had to for dtls in this commit:

8e1b2eab7b162c02eb5fc8e4b30aab659a69e18f

On Sep 29, 2015, at 1:45 PM, Victor Medina <victor.medina at cibersys.com> wrote:
> 
> btw... I get this beautiful cipher on 5061:
> 
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> 
> 
> 
> 2015-09-29 13:10 GMT-04:30 Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>>:
> Hi!
> 
> Im starting to feel like this...
> 
> http://herbookthoughts.reads-it.com/wp-content/uploads/2014/06/d6a1143f571184db25f94613edd43b40af6d3a629221aba00d9efdcfef5efd84.jpg <http://herbookthoughts.reads-it.com/wp-content/uploads/2014/06/d6a1143f571184db25f94613edd43b40af6d3a629221aba00d9efdcfef5efd84.jpg> =)
> 
> 
> I tried a few things to get ECDH or a DH Kx working on the wss, but wasn't able to get it working, Im only getting RSA Kx. 
> 
> On ws.c I tried substituting the SSLv23_server_method() with the newer TLSv1_server_method() (less compatible, I know) but I always get the same ciphers and none of them is ECDH or DH.
> 
> I even tried disabling 
> 
> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv2);
> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv3);
> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1);
> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_COMPRESSION);
> 
> and played with SSL_CTX_set_cipher_list(ws_globals.ssl_ctx, "HIGH:!DSS:!aNULL at STRENGTH"); to see if I could get a different set of ciphers(I tried: EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS 'cause its what my webserver uses) but always got the same results: 
> 
> using SSLSCAN:  TLSv1  256 bits  AES256-SHA
> using openssl s_client/debian 8:     TLSv1.2 AES256-GCM-SHA384
> 
> My vars.xml looks like:
> 
> 404   <X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
> 
> 416 <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
> 
> 
> 
> Time for a Jira bug fill?
> 
> As usual thanks for everything
>  
> 
> 
> 
> 2015-09-29 10:20 GMT-04:30 Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>>:
> No, its in the same file with ws.
> 
>> On Sep 29, 2015, at 10:16 AM, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>> 
>> Guys.
>> 
>> WSS is implemented on tport_tls.c right?
>> 
>> 2015-09-28 17:59 GMT-04:30 Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>>:
>> If this is something that is broken or will soon be, it really needs to be filed in jira or no one will be looking at it.  If someone can work up a patch to fix this, that would be preferred.
>> 
>>> On Sep 28, 2015, at 6:09 PM, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>>> 
>>> Michael.
>>> Im having a hard time trying to get development team to use verto
>>> 
>>> They insist on using The whole sip over ws approach since they have to Support a ios app built using cordova and Some libraries that uses sipjs.
>>> 
>>> My other concerns is that afaik browser will requiere pfs for signalling soon
>>> 
>>> As always thanks for Help and guidance!
>>> 
>>> El 28/09/2015 14:47, "Michael Jerris" <mike at jerris.com <mailto:mike at jerris.com>> escribió:
>>> websocket proxy works with mod_verto fine.
>>> 
>>>> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>>>> 
>>>> Silly question....
>>>> 
>>>> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no tls) and let apache handle all tls; or there is some work involved in the Sip 2 Websocket that makes this not a recomended option?
>>>> 
>>>> 
>>>> 
>>>> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>>:
>>>> Thanks!
>>>> 
>>>> Ill get a coffe! =)
>>>> 
>>>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>>:
>>>> there was a fix for ec in wss at some point, I'd confirm this part isn't already fixed before you go too far
>>>> 
>>>> 
>>>> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
>>>> Um....
>>>> 
>>>> Thinking... 
>>>> Its a Debian 8, updated, 
>>>> The fs is master, not the latest though... it is master from just about the time before 1.6 stable... so I probably should update...
>>>> 
>>>> Running sslscan on some machine:
>>>> 
>>>> 
>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>       Authority Information Access: 
>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>       Authority Information Access: 
>>>> 
>>>> 
>>>> Running the same test on a recent built of v1.6 
>>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git 6762f14 2015-09-03 20:36:52Z 64bit)
>>>> 
>>>> 
>>>> 
>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>     Accepted  TLSv1  256 bits  AECDH-AES256-SHA
>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>     Accepted  TLSv1  128 bits  AECDH-AES128-SHA
>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>     Accepted  TLSv1  128 bits  SEED-SHA
>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>>>>     Accepted  TLSv1  128 bits  AECDH-RC4-SHA
>>>>     Accepted  TLSv1  128 bits  RC4-SHA
>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>     Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>> 
>>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org <>>:
>>>> Careful your distro may have disabled anything EC related.
>>>> 
>>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <victor.medina at cibersys.com <>> wrote:
>>>> First of all, thanks you and Good morning!.
>>>> 
>>>> 
>>>> Although I'm using:
>>>> 
>>>>  <param name="tls-version" value="tlsv1.2"/>
>>>>  <param name="tls-ciphers" value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>> 
>>>> 
>>>> Im getting:
>>>> 
>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>> Server public key is 2048 bit
>>>> Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>>     Protocol  : TLSv1.2
>>>>     Cipher    : AES256-GCM-SHA384
>>>> 
>>>> Not bad, but not ECDHE.
>>>> 
>>>> Compared to our web server:
>>>> 
>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>> Server public key is 2048 bit
>>>> Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>>     Protocol  : TLSv1.2
>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org <>>:
>>>> tls-cipher param.
>>>> 
>>>> 
>>>> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com <>> wrote:
>>>> Hi guys!
>>>> 
>>>> Is there any parameter that can configure what ciphers are used on the WSS interface? 
>>>> 
>>>> Im am getting...
>>>>  
>>>> 
>>>> WSS interface:
>>>> SSL-Session:
>>>>     Protocol  : TLSv1.2
>>>>     Cipher    : AES256-GCM-SHA384
>>>> 
>>>> 
>>>> SIP interface, same channel:
>>>> Expansion: NONE
>>>> SSL-Session:
>>>>     Protocol  : TLSv1.2
>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> 
> 
> 
> -- 
> 
> 
> 
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561 <>
> BB #79A8AFA2
> @VMCibersys
> 
> 
> 
> 
> -- 
> 
> 
> 
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561 <>
> BB #79A8AFA2
> @VMCibersys
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150929/55383352/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list