[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?

Michael Jerris mike at jerris.com
Mon Sep 28 23:16:33 MSD 2015


websocket proxy works with mod_verto fine.

> On Sep 27, 2015, at 8:56 AM, Victor Medina <victor.medina at cibersys.com> wrote:
> 
> Silly question....
> 
> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no tls) and let apache handle all tls; or there is some work involved in the Sip 2 Websocket that makes this not a recomended option?
> 
> 
> 
> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>>:
> Thanks!
> 
> Ill get a coffe! =)
> 
> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com <mailto:mike at jerris.com>>:
> there was a fix for ec in wss at some point, I'd confirm this part isn't already fixed before you go too far
> 
> 
> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com <mailto:victor.medina at cibersys.com>> wrote:
> Um....
> 
> Thinking... 
> Its a Debian 8, updated, 
> The fs is master, not the latest though... it is master from just about the time before 1.6 stable... so I probably should update...
> 
> Running sslscan on some machine:
> 
> 
> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep Acce
>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>       Authority Information Access: 
> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep Acce
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
>       Authority Information Access: 
> 
> 
> Running the same test on a recent built of v1.6 
> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit (git 6762f14 2015-09-03 20:36:52Z 64bit)
> 
> 
> 
> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep Acce
>     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
>     Accepted  TLSv1  256 bits  AECDH-AES256-SHA
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  256 bits  CAMELLIA256-SHA
>     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
>     Accepted  TLSv1  128 bits  AECDH-AES128-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  SEED-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
>     Accepted  TLSv1  128 bits  AECDH-RC4-SHA
>     Accepted  TLSv1  128 bits  RC4-SHA
>     Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
>     Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep Acce
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  CAMELLIA128-SHA
>     Accepted  TLSv1  112 bits  DES-CBC3-SHA
> 
> Why it does not accept any PFS/curve/ephimereal cipher on the WSS binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
> 
> 
> 
> 
> 
> 
> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org <>>:
> Careful your distro may have disabled anything EC related.
> 
> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <victor.medina at cibersys.com <>> wrote:
> First of all, thanks you and Good morning!.
> 
> 
> Although I'm using:
> 
>  <param name="tls-version" value="tlsv1.2"/>
>  <param name="tls-ciphers" value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
> 
> 
> Im getting:
> 
> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : AES256-GCM-SHA384
> 
> Not bad, but not ECDHE.
> 
> Compared to our web server:
> 
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> 
> 
> 
> 
> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org <>>:
> tls-cipher param.
> 
> 
> On Friday, September 25, 2015, Victor Medina <victor.medina at cibersys.com <>> wrote:
> Hi guys!
> 
> Is there any parameter that can configure what ciphers are used on the WSS interface? 
> 
> Im am getting...
>  
> 
> WSS interface:
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : AES256-GCM-SHA384
> 
> 
> SIP interface, same channel:
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> 
> 
> 
> -- 
> 
> 
> 
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561 <>
> BB #79A8AFA2
> @VMCibersys
> 
> 
> 
> -- 
> Brian West
> brian at freeswitch.org <>
> 
> Twitter: @FreeSWITCH , @briankwest
> http://www.freeswitchbook.com <http://www.freeswitchbook.com/>
> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit: /r/freeswitch <https://www.reddit.com/r/freeswitch>
> T:+19184209001 <tel:%2B19184209001> | F:+19184209002 <tel:%2B19184209002> | M:+1918424WEST (9378)
> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> 
> 
> 
> -- 
> 
> 
> 
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561 <>
> BB #79A8AFA2
> @VMCibersys
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> 
> 
> 
> -- 
> Brian West
> brian at freeswitch.org <>
> 
> Twitter: @FreeSWITCH , @briankwest
> http://www.freeswitchbook.com <http://www.freeswitchbook.com/>
> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit: /r/freeswitch <https://www.reddit.com/r/freeswitch>
> T:+19184209001 <tel:%2B19184209001> | F:+19184209002 <tel:%2B19184209002> | M:+1918424WEST (9378)
> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> 
> 
> 
> -- 
> 
> 
> 
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561 <>
> BB #79A8AFA2
> @VMCibersys
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> 
> 
> 
> -- 
> 
> 
> 
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561 <>
> BB #79A8AFA2
> @VMCibersys
> 
> 
> 
> 
> -- 
> 
> 
> 
> Víctor E. Medina M.
> Platform Architect / Chief Infrastructure
> +58424 291 4561 <>
> BB #79A8AFA2
> @VMCibersys
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150928/1160b74a/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list