[Freeswitch-users] Using Specific TLS Ciphers (1.10.7)

Michael Meehan mmeehan at djsequel.com
Thu Jul 14 19:08:53 UTC 2022 

For everyone else’s benefit, this was sorted.  I’ve found that I needed something set in both vars.xml:

  <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=AES256-GCM-SHA384"/>

and the sip_profile I wanted to restrict the ciphers for:

    <param name="tls-ciphers" value="$${sip_tls_ciphers}"/>

Thanks

From: Michael Meehan <mmeehan at djsequel.com>
Date: Friday, June 24, 2022 at 9:09 AM
To: freeswitch-users at lists.freeswitch.org <freeswitch-users at lists.freeswitch.org>
Subject: Using Specific TLS Ciphers (1.10.7)
We’ve been trying to prevent using specific ciphers, mainly Diffie-Hellman.  According to the documentation I’ve seen and previous posts in this group, that should be accomplished by using something like this:

  <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256"/>

This doesn’t work.

This specific cipher is offered in the CLIENT HELLO and shown as also supported from the SERVER HELLO response amongst others, however,  we continue to see DH as being agreed upon:

tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events CONNECTING
tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events NEGOTIATING
tport_tls.c:974 tls_connect() tls_connect(0x7ff738006e70): events NEGOTIATING
tport_tls.c:617 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (name): ECDHE-RSA-AES128-GCM-SHA256
tport_tls.c:619 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (version): TLSv1/SSLv3
tport_tls.c:622 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (bits/alg_bits): 128/128
tport_tls.c:625 tls_post_connection_check() tls_post_connection_check(0x7ff738006e70): TLS cipher chosen (description): ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

Other attempts have been made using the following, which also doesn’t appear to function as expected.

  <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!DH:!ECDH:!LOW:!EXP:!MD5:@STRENGTH"/>

Any help is appreciated, thanks.

FreeSWITCH Version 1.10.7-release.13~64bit (-release.13 64bit)
CENTOS 7 3.10.0-1160.62.1.el7.x86_64

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20220714/45a54c1c/attachment.html>

More information about the FreeSWITCH-users mailing list