[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?

Victor Medina victor.medina at cibersys.com
Tue Sep 29 23:14:51 MSD 2015


Ill check it out! Thanks!
El 29/09/2015 13:25, "Michael Jerris" <mike at jerris.com> escribió:

> might need some more code to support the ecdh stuff like we had to for
> dtls in this commit:
>
> 8e1b2eab7b162c02eb5fc8e4b30aab659a69e18f
>
> On Sep 29, 2015, at 1:45 PM, Victor Medina <victor.medina at cibersys.com>
> wrote:
>
>
> btw... I get this beautiful cipher on 5061:
>
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>
>
>
> 2015-09-29 13:10 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
>
>> Hi!
>>
>> Im starting to feel like this...
>>
>>
>> http://herbookthoughts.reads-it.com/wp-content/uploads/2014/06/d6a1143f571184db25f94613edd43b40af6d3a629221aba00d9efdcfef5efd84.jpg
>>  =)
>>
>>
>> I tried a few things to get ECDH or a DH Kx working on the wss, but
>> wasn't able to get it working, Im only getting RSA Kx.
>>
>> On ws.c I tried substituting the SSLv23_server_method() with the newer
>> TLSv1_server_method() (less compatible, I know) but I always get the same
>> ciphers and none of them is ECDH or DH.
>>
>> I even tried disabling
>>
>> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv2);
>> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv3);
>> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1);
>> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_COMPRESSION);
>>
>> and played with SSL_CTX_set_cipher_list(ws_globals.ssl_ctx,
>> "HIGH:!DSS:!aNULL at STRENGTH"); to see if I could get a different set of
>> ciphers(I tried: EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
>> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
>> EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS 'cause its
>> what my webserver uses) but always got the same results:
>>
>> using SSLSCAN:  TLSv1  256 bits  AES256-SHA
>> using openssl s_client/debian 8:     TLSv1.2 AES256-GCM-SHA384
>>
>> My vars.xml looks like:
>>
>> 404   <X-PRE-PROCESS cmd="set"
>> data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
>>
>> 416 <X-PRE-PROCESS cmd="set"
>> data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
>>
>>
>>
>> Time for a Jira bug fill?
>>
>> As usual thanks for everything
>>
>>
>>
>>
>> 2015-09-29 10:20 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>
>>> No, its in the same file with ws.
>>>
>>> On Sep 29, 2015, at 10:16 AM, Victor Medina <victor.medina at cibersys.com>
>>> wrote:
>>>
>>> Guys.
>>>
>>> WSS is implemented on tport_tls.c right?
>>>
>>> 2015-09-28 17:59 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>>
>>>> If this is something that is broken or will soon be, it really needs to
>>>> be filed in jira or no one will be looking at it.  If someone can work up a
>>>> patch to fix this, that would be preferred.
>>>>
>>>> On Sep 28, 2015, at 6:09 PM, Victor Medina <victor.medina at cibersys.com>
>>>> wrote:
>>>>
>>>> Michael.
>>>> Im having a hard time trying to get development team to use verto
>>>>
>>>> They insist on using The whole sip over ws approach since they have to
>>>> Support a ios app built using cordova and Some libraries that uses sipjs.
>>>>
>>>> My other concerns is that afaik browser will requiere pfs for
>>>> signalling soon
>>>>
>>>> As always thanks for Help and guidance!
>>>> El 28/09/2015 14:47, "Michael Jerris" <mike at jerris.com> escribió:
>>>>
>>>>> websocket proxy works with mod_verto fine.
>>>>>
>>>>> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com>
>>>>> wrote:
>>>>>
>>>>> Silly question....
>>>>>
>>>>> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no
>>>>> tls) and let apache handle all tls; or there is some work involved in the
>>>>> Sip 2 Websocket that makes this not a recomended option?
>>>>>
>>>>>
>>>>>
>>>>> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Ill get a coffe! =)
>>>>>>
>>>>>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>>>>>
>>>>>>> there was a fix for ec in wss at some point, I'd confirm this part
>>>>>>> isn't already fixed before you go too far
>>>>>>>
>>>>>>>
>>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>
>>>>>>>> Um....
>>>>>>>>
>>>>>>>> Thinking...
>>>>>>>> Its a Debian 8, updated,
>>>>>>>> The fs is master, not the latest though... it is master from just
>>>>>>>> about the time before 1.6 stable... so I probably should update...
>>>>>>>>
>>>>>>>> Running sslscan on some machine:
>>>>>>>>
>>>>>>>>
>>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>>>>>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>>>>       Authority Information Access:
>>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep
>>>>>>>> Acce
>>>>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>>>>       Authority Information Access:
>>>>>>>>
>>>>>>>>
>>>>>>>> Running the same test on a recent built of v1.6
>>>>>>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git
>>>>>>>> 6762f14 2015-09-03 20:36:52Z 64bit)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep
>>>>>>>> Acce
>>>>>>>>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>>>>>>>>     Accepted  TLSv1  256 bits  AECDH-AES256-SHA
>>>>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>>>>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  AECDH-AES128-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  SEED-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  AECDH-RC4-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  RC4-SHA
>>>>>>>>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>>>>>>>>     Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
>>>>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep
>>>>>>>> Acce
>>>>>>>>     Accepted  TLSv1  256 bits  AES256-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  AES128-SHA
>>>>>>>>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>>>>>>>>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>>>>>>>>
>>>>>>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS
>>>>>>>> binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>>>
>>>>>>>>> Careful your distro may have disabled anything EC related.
>>>>>>>>>
>>>>>>>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>>
>>>>>>>>>> First of all, thanks you and Good morning!.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Although I'm using:
>>>>>>>>>>
>>>>>>>>>>  <param name="tls-version" value="tlsv1.2"/>
>>>>>>>>>>  <param name="tls-ciphers"
>>>>>>>>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Im getting:
>>>>>>>>>>
>>>>>>>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>>>>>>>> Server public key is 2048 bit
>>>>>>>>>> Secure Renegotiation IS supported
>>>>>>>>>> Compression: NONE
>>>>>>>>>> Expansion: NONE
>>>>>>>>>> SSL-Session:
>>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>>>>>>
>>>>>>>>>> Not bad, but not ECDHE.
>>>>>>>>>>
>>>>>>>>>> Compared to our web server:
>>>>>>>>>>
>>>>>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>> Server public key is 2048 bit
>>>>>>>>>> Secure Renegotiation IS supported
>>>>>>>>>> Compression: NONE
>>>>>>>>>> Expansion: NONE
>>>>>>>>>> SSL-Session:
>>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>>>>>
>>>>>>>>>>> tls-cipher param.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi guys!
>>>>>>>>>>>>
>>>>>>>>>>>> Is there any parameter that can configure what ciphers are used
>>>>>>>>>>>> on the WSS interface?
>>>>>>>>>>>>
>>>>>>>>>>>> Im am getting...
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> WSS interface:
>>>>>>>>>>>> SSL-Session:
>>>>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> SIP interface, same channel:
>>>>>>>>>>>> Expansion: NONE
>>>>>>>>>>>> SSL-Session:
>>>>>>>>>>>>     Protocol  : TLSv1.2
>>>>>>>>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561
>> BB #79A8AFA2
>> @VMCibersys
>>
>>
>
>
> --
>
>
>
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561
> BB #79A8AFA2
> @VMCibersys
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150929/8bd077a9/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list