[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?

Michael Jerris mike at jerris.com
Fri Sep 25 23:09:39 MSD 2015


there was a fix for ec in wss at some point, I'd confirm this part isn't
already fixed before you go too far

On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com>
wrote:

> Um....
>
> Thinking...
> Its a Debian 8, updated,
> The fs is master, not the latest though... it is master from just about
> the time before 1.6 stable... so I probably should update...
>
> Running sslscan on some machine:
>
>
> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>       Authority Information Access:
> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>       Authority Information Access:
>
>
> Running the same test on a recent built of v1.6
> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git
> 6762f14 2015-09-03 20:36:52Z 64bit)
>
>
>
> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>     Accepted  TLSv1  256 bits  AECDH-AES256-SHA
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>     Accepted  TLSv1  128 bits  AECDH-AES128-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  SEED-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>     Accepted  TLSv1  128 bits  AECDH-RC4-SHA
>     Accepted  TLSv1  128 bits  RC4-SHA
>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>     Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>
> Why it does not accept any PFS/curve/ephimereal cipher on the WSS binding?
> Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>
>
>
>
>
>
> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org
> <javascript:_e(%7B%7D,'cvml','brian at freeswitch.org');>>:
>
>> Careful your distro may have disabled anything EC related.
>>
>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>> victor.medina at cibersys.com
>> <javascript:_e(%7B%7D,'cvml','victor.medina at cibersys.com');>> wrote:
>>
>>> First of all, thanks you and Good morning!.
>>>
>>>
>>> Although I'm using:
>>>
>>>  <param name="tls-version" value="tlsv1.2"/>
>>>  <param name="tls-ciphers"
>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>
>>>
>>> Im getting:
>>>
>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : AES256-GCM-SHA384
>>>
>>> Not bad, but not ECDHE.
>>>
>>> Compared to our web server:
>>>
>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>
>>>
>>>
>>>
>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org
>>> <javascript:_e(%7B%7D,'cvml','brian at freeswitch.org');>>:
>>>
>>>> tls-cipher param.
>>>>
>>>>
>>>> On Friday, September 25, 2015, Victor Medina <
>>>> victor.medina at cibersys.com
>>>> <javascript:_e(%7B%7D,'cvml','victor.medina at cibersys.com');>> wrote:
>>>>
>>>>> Hi guys!
>>>>>
>>>>> Is there any parameter that can configure what ciphers are used on the
>>>>> WSS interface?
>>>>>
>>>>> Im am getting...
>>>>>
>>>>>
>>>>> WSS interface:
>>>>> SSL-Session:
>>>>>     Protocol  : TLSv1.2
>>>>>     Cipher    : AES256-GCM-SHA384
>>>>>
>>>>>
>>>>> SIP interface, same channel:
>>>>> Expansion: NONE
>>>>> SSL-Session:
>>>>>     Protocol  : TLSv1.2
>>>>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>> Víctor E. Medina M.
>>>>> Platform Architect / Chief Infrastructure
>>>>> +58424 291 4561
>>>>> BB #79A8AFA2
>>>>> @VMCibersys
>>>>>
>>>>>
>>>>
>>>> --
>>>>
>>>> *Brian West*
>>>> brian at freeswitch.org
>>>> <javascript:_e(%7B%7D,'cvml','brian at freeswitch.org');>
>>>>
>>>>
>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>> http://www.freeswitchbook.com
>>>> http://www.freeswitchcookbook.com
>>>>
>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>
>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> <javascript:_e(%7B%7D,'cvml','consulting at freeswitch.org');>
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> <javascript:_e(%7B%7D,'cvml','FreeSWITCH-users at lists.freeswitch.org');>
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> Víctor E. Medina M.
>>> Platform Architect / Chief Infrastructure
>>> +58424 291 4561
>>> BB #79A8AFA2
>>> @VMCibersys
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> <javascript:_e(%7B%7D,'cvml','consulting at freeswitch.org');>
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> <javascript:_e(%7B%7D,'cvml','FreeSWITCH-users at lists.freeswitch.org');>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>>
>> *Brian West*
>> brian at freeswitch.org
>> <javascript:_e(%7B%7D,'cvml','brian at freeswitch.org');>
>>
>>
>> *Twitter: @FreeSWITCH , @briankwest*
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>>
>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>
>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> <javascript:_e(%7B%7D,'cvml','consulting at freeswitch.org');>
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> <javascript:_e(%7B%7D,'cvml','FreeSWITCH-users at lists.freeswitch.org');>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
>
>
>
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561
> BB #79A8AFA2
> @VMCibersys
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150925/84b43d45/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list