[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?
Victor Medina
victor.medina at cibersys.com
Fri Sep 25 23:15:18 MSD 2015
Thanks!
Ill get a coffe! =)
2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com>:
> there was a fix for ec in wss at some point, I'd confirm this part isn't
> already fixed before you go too far
>
>
> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com>
> wrote:
>
>> Um....
>>
>> Thinking...
>> Its a Debian 8, updated,
>> The fs is master, not the latest though... it is master from just about
>> the time before 1.6 stable... so I probably should update...
>>
>> Running sslscan on some machine:
>>
>>
>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>> Accepted TLSv1 256 bits AES256-SHA
>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>> Accepted TLSv1 128 bits AES128-SHA
>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>> Accepted TLSv1 112 bits DES-CBC3-SHA
>> Authority Information Access:
>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>> Accepted TLSv1 256 bits AES256-SHA
>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>> Accepted TLSv1 128 bits AES128-SHA
>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>> Accepted TLSv1 112 bits DES-CBC3-SHA
>> Authority Information Access:
>>
>>
>> Running the same test on a recent built of v1.6
>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git
>> 6762f14 2015-09-03 20:36:52Z 64bit)
>>
>>
>>
>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>> Accepted TLSv1 256 bits AECDH-AES256-SHA
>> Accepted TLSv1 256 bits AES256-SHA
>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>> Accepted TLSv1 128 bits AECDH-AES128-SHA
>> Accepted TLSv1 128 bits AES128-SHA
>> Accepted TLSv1 128 bits SEED-SHA
>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>> Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
>> Accepted TLSv1 128 bits AECDH-RC4-SHA
>> Accepted TLSv1 128 bits RC4-SHA
>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>> Accepted TLSv1 112 bits AECDH-DES-CBC3-SHA
>> Accepted TLSv1 112 bits DES-CBC3-SHA
>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>> Accepted TLSv1 256 bits AES256-SHA
>> Accepted TLSv1 128 bits AES128-SHA
>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>
>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS
>> binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>
>>
>>
>>
>>
>>
>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org>:
>>
>>> Careful your distro may have disabled anything EC related.
>>>
>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>>> victor.medina at cibersys.com> wrote:
>>>
>>>> First of all, thanks you and Good morning!.
>>>>
>>>>
>>>> Although I'm using:
>>>>
>>>> <param name="tls-version" value="tlsv1.2"/>
>>>> <param name="tls-ciphers"
>>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>>
>>>>
>>>> Im getting:
>>>>
>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>> Server public key is 2048 bit
>>>> Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>> Protocol : TLSv1.2
>>>> Cipher : AES256-GCM-SHA384
>>>>
>>>> Not bad, but not ECDHE.
>>>>
>>>> Compared to our web server:
>>>>
>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>> Server public key is 2048 bit
>>>> Secure Renegotiation IS supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>> Protocol : TLSv1.2
>>>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>>>
>>>>
>>>>
>>>>
>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>
>>>>> tls-cipher param.
>>>>>
>>>>>
>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>> victor.medina at cibersys.com> wrote:
>>>>>
>>>>>> Hi guys!
>>>>>>
>>>>>> Is there any parameter that can configure what ciphers are used on
>>>>>> the WSS interface?
>>>>>>
>>>>>> Im am getting...
>>>>>>
>>>>>>
>>>>>> WSS interface:
>>>>>> SSL-Session:
>>>>>> Protocol : TLSv1.2
>>>>>> Cipher : AES256-GCM-SHA384
>>>>>>
>>>>>>
>>>>>> SIP interface, same channel:
>>>>>> Expansion: NONE
>>>>>> SSL-Session:
>>>>>> Protocol : TLSv1.2
>>>>>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>>>>>>
>>>>>> Víctor E. Medina M.
>>>>>> Platform Architect / Chief Infrastructure
>>>>>> +58424 291 4561
>>>>>> BB #79A8AFA2
>>>>>> @VMCibersys
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Brian West*
>>>>> brian at freeswitch.org
>>>>>
>>>>>
>>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>>> http://www.freeswitchbook.com
>>>>> http://www.freeswitchcookbook.com
>>>>>
>>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>>
>>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>>
>>>> Víctor E. Medina M.
>>>> Platform Architect / Chief Infrastructure
>>>> +58424 291 4561
>>>> BB #79A8AFA2
>>>> @VMCibersys
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>
>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561
>> BB #79A8AFA2
>> @VMCibersys
>>
>>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
Víctor E. Medina M.
Platform Architect / Chief Infrastructure
+58424 291 4561
BB #79A8AFA2
@VMCibersys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150925/8be63a95/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list