<div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace">Hi!<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">Im starting to feel like this...<br><br><a href="http://herbookthoughts.reads-it.com/wp-content/uploads/2014/06/d6a1143f571184db25f94613edd43b40af6d3a629221aba00d9efdcfef5efd84.jpg">http://herbookthoughts.reads-it.com/wp-content/uploads/2014/06/d6a1143f571184db25f94613edd43b40af6d3a629221aba00d9efdcfef5efd84.jpg</a> =)<br><br><br></div><div class="gmail_default" style="font-family:courier new,monospace">I tried a few things to get ECDH or a DH Kx working on the wss, but wasn&#39;t able to get it working, Im only getting RSA Kx. <br><br></div><div class="gmail_default" style="font-family:courier new,monospace">On ws.c I tried substituting the SSLv23_server_method() with the newer TLSv1_server_method() (less compatible, I know) but I always get the same ciphers and none of them is ECDH or DH.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">I even tried disabling <br><br>SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv2);<br>SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv3);<br>SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1);<br>SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_COMPRESSION);<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">and played with SSL_CTX_set_cipher_list(ws_globals.ssl_ctx, &quot;HIGH:!DSS:!aNULL@STRENGTH&quot;); to see if I could get a different set of ciphers(I tried: EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS &#39;cause its what my webserver uses) but always got the same results: <br><br></div><div class="gmail_default" style="font-family:courier new,monospace">using SSLSCAN:  TLSv1  256 bits  AES256-SHA<br></div><div class="gmail_default" style="font-family:courier new,monospace">using openssl s_client/debian 8:     TLSv1.2 AES256-GCM-SHA384<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">My vars.xml looks like:<br><br>404   &lt;X-PRE-PROCESS cmd=&quot;set&quot; data=&quot;sip_tls_version=tlsv1,tlsv1.1,tlsv1.2&quot;/&gt;<br><br>416 &lt;X-PRE-PROCESS cmd=&quot;set&quot; data=&quot;sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH&quot;/&gt;<br><br></div><div class="gmail_default" style="font-family:courier new,monospace"><br><br></div><div class="gmail_default" style="font-family:courier new,monospace">Time for a Jira bug fill?<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">As usual thanks for everything<br></div><div class="gmail_default" style="font-family:courier new,monospace"> <br></div><div class="gmail_default" style="font-family:courier new,monospace"><br></div><div class="gmail_default" style="font-family:courier new,monospace"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-09-29 10:20 GMT-04:30 Michael Jerris <span dir="ltr">&lt;<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">No, its in the same file with ws.<div><div class="h5"><div><br><div><blockquote type="cite"><div>On Sep 29, 2015, at 10:16 AM, Victor Medina &lt;<a href="mailto:victor.medina@cibersys.com" target="_blank">victor.medina@cibersys.com</a>&gt; wrote:</div><br><div><div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace">Guys.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">WSS is implemented on tport_tls.c right?<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-09-28 17:59 GMT-04:30 Michael Jerris <span dir="ltr">&lt;<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">If this is something that is broken or will soon be, it really needs to be filed in jira or no one will be looking at it.  If someone can work up a patch to fix this, that would be preferred.<div><div><div><br><div><blockquote type="cite"><div>On Sep 28, 2015, at 6:09 PM, Victor Medina &lt;<a href="mailto:victor.medina@cibersys.com" target="_blank">victor.medina@cibersys.com</a>&gt; wrote:</div><br><div><p dir="ltr">Michael.<br>
Im having a hard time trying to get development team to use verto</p><p dir="ltr">They insist on using The whole sip over ws approach since they have to Support a ios app built using cordova and Some libraries that uses sipjs.</p><p dir="ltr">My other concerns is that afaik browser will requiere pfs for signalling soon</p><p dir="ltr">As always thanks for Help and guidance!<br>
</p>
<div class="gmail_quote">El 28/09/2015 14:47, &quot;Michael Jerris&quot; &lt;<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>&gt; escribió:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">websocket proxy works with mod_verto fine.<div><br><div><blockquote type="cite"><div>On Sep 27, 2015, at 8:56 AM, Victor Medina &lt;<a href="mailto:victor.medina@cibersys.com" target="_blank">victor.medina@cibersys.com</a>&gt; wrote:</div><br><div><div dir="ltr" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Silly question....<br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no tls) and let apache handle all tls; or there is some work involved in the Sip 2 Websocket that makes this not a recomended option?<br><br><br></div></div><div class="gmail_extra" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br><div class="gmail_quote">2015-09-25 14:45 GMT-04:30 Victor Medina<span> </span><span dir="ltr">&lt;<a href="mailto:victor.medina@cibersys.com" target="_blank">victor.medina@cibersys.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Thanks!<br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Ill get a coffe! =)<br></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2015-09-25 14:39 GMT-04:30 Michael Jerris<span> </span><span dir="ltr">&lt;<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">there was a fix for ec in wss at some point, I&#39;d confirm this part isn&#39;t already fixed before you go too far<div><div><span></span><br><br>On Friday, September 25, 2015, Victor Medina &lt;<a href="mailto:victor.medina@cibersys.com" target="_blank">victor.medina@cibersys.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Um....<br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Thinking...<span> </span><br>Its a Debian 8, updated,<span> </span><br>The fs is master, not the latest though... it is master from just about the time before 1.6 stable... so I probably should update...<br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Running sslscan on some machine:<br><br><br>root@vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce<br>   <span> </span>Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA<br>   <span> </span>Accepted  TLSv1  256 bits  AES256-SHA<br>   <span> </span>Accepted  TLSv1  256 bits  CAMELLIA256-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  AES128-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  CAMELLIA128-SHA<br>   <span> </span>Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA<br>   <span> </span>Accepted  TLSv1  112 bits  DES-CBC3-SHA<br>     <span> </span>Authority Information Access:<span> </span><br>root@vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce<br>   <span> </span>Accepted  TLSv1  256 bits  AES256-SHA<br>   <span> </span>Accepted  TLSv1  256 bits  CAMELLIA256-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  AES128-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  CAMELLIA128-SHA<br>   <span> </span>Accepted  TLSv1  112 bits  DES-CBC3-SHA<br>     <span> </span>Authority Information Access:<span> </span><br><br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Running the same test on a recent built of v1.6<span> </span><br>FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git 6762f14 2015-09-03 20:36:52Z 64bit)<br><br><br><br>root@vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce<br>   <span> </span>Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA<br>   <span> </span>Accepted  TLSv1  256 bits  AECDH-AES256-SHA<br>   <span> </span>Accepted  TLSv1  256 bits  AES256-SHA<br>   <span> </span>Accepted  TLSv1  256 bits  CAMELLIA256-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  AECDH-AES128-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  AES128-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  SEED-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  CAMELLIA128-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  AECDH-RC4-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  RC4-SHA<br>   <span> </span>Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA<br>   <span> </span>Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA<br>   <span> </span>Accepted  TLSv1  112 bits  DES-CBC3-SHA<br>root@vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce<br>   <span> </span>Accepted  TLSv1  256 bits  AES256-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  AES128-SHA<br>   <span> </span>Accepted  TLSv1  128 bits  CAMELLIA128-SHA<br>   <span> </span>Accepted  TLSv1  112 bits  DES-CBC3-SHA<br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Why it does not accept any PFS/curve/ephimereal cipher on the WSS binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?<br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace"><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace"><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace"><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace"><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-09-25 13:30 GMT-04:30 Brian West<span> </span><span dir="ltr">&lt;<a>brian@freeswitch.org</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Careful your distro may have disabled anything EC related.</div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina<span> </span><span dir="ltr">&lt;<a>victor.medina@cibersys.com</a>&gt;</span><span> </span>wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">First of all, thanks you and Good morning!.<br><br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Although I&#39;m using:<br><br> &lt;param name=&quot;tls-version&quot; value=&quot;tlsv1.2&quot;/&gt;<br> &lt;param name=&quot;tls-ciphers&quot; value=&quot;ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4&quot;/&gt;<br><br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Im getting:<br><br>New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<span><br>Expansion: NONE<br>SSL-Session:<br>   <span> </span>Protocol  : TLSv1.2<br></span>   <span> </span>Cipher    : AES256-GCM-SHA384<br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Not bad, but not ECDHE.<br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Compared to our web server:<br><br>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<span><br>Expansion: NONE<br>SSL-Session:<br>   <span> </span>Protocol  : TLSv1.2<br>   <span> </span>Cipher    : ECDHE-RSA-AES256-GCM-SHA384<br><br></span></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace"><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>2015-09-25 9:29 GMT-04:30 Brian West<span> </span><span dir="ltr">&lt;<a>brian@freeswitch.org</a>&gt;</span>:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div>tls-cipher param.<div><div><br><br>On Friday, September 25, 2015, Victor Medina &lt;<a>victor.medina@cibersys.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Hi guys!<br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Is there any parameter that can configure what ciphers are used on the WSS interface?<span> </span><br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">Im am getting...<br> <br><br>WSS interface:<br>SSL-Session:<br>   <span> </span>Protocol  : TLSv1.2<br>   <span> </span>Cipher    : AES256-GCM-SHA384<br><br><br></div><div class="gmail_default" style="font-family:&#39;courier new&#39;,monospace">SIP interface, same channel:<br>Expansion: NONE<br>SSL-Session:<br>   <span> </span>Protocol  : TLSv1.2<br>   <span> </span>Cipher    : ECDHE-RSA-AES256-GCM-SHA384<br><br></div></div></blockquote></div></div></div></div></blockquote></div></div></blockquote></div></div></div></div></blockquote></div></div></blockquote></div></div></blockquote></div></div></div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></blockquote></div></div></div></div></div></blockquote></div></div></div></blockquote></div><br></div></div></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font size="2"><span style="font-family:courier new,monospace"><br><img src="https://www.cibersys.com/img/logo-cibersys.png"><br><br>Víctor E. Medina M.<br></span></font><div><font size="2"><span style="font-family:courier new,monospace">Platform Architect / Chief Infrastructure<br></span></font></div><font size="2"><span style="font-family:courier new,monospace"><span style="display:inline"><span style="display:inline"><a>+58424 291 4561</a></span></span><br>BB #79A8AFA2<br>@VMCibersys<br></span></font></div><div dir="ltr"><font size="2"><span style="font-family:courier new,monospace"><br></span></font></div></div></div></div></div></div></div></div></div></div>
</div>