[Freeswitch-users] WSS/Sip over Websocket - Any parameter that controls CHIPERS suites?
Victor Medina
victor.medina at cibersys.com
Wed Sep 30 20:31:50 MSD 2015
Im trying to get EC working on ws.c.
Im using init_ssl() to do it. Im correctly able to initialize the curve,
and pass it as parameter to SSL_CTX_set_options, it builds and run, but Im
not able to get it working I keep getting a no EC cipher.
Any idea? Suggestions?
94 void init_ssl(void) {
95 SSL_library_init();
96
97 EC_KEY *ecdh;
98 int nid;
99
100 OpenSSL_add_all_algorithms(); /* load & register cryptos */
101 SSL_load_error_strings(); /* load all error messages */
102
103 /* ws_globals.ssl_method = SSLv23_server_method(); */
104
105 ws_globals.ssl_method = TLSv1_server_method();
106
107 ws_globals.ssl_ctx = SSL_CTX_new(ws_globals.ssl_method); /*
create context */
108 assert(ws_globals.ssl_ctx);
109
110
111 /* SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv2); */
112 /* SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv3); */
113 SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1);
114 SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_COMPRESSION);
115
116 if (!(nid = OBJ_sn2nid("prime256v1"))) {
117 tls_log_errors(1, "Couldn't find specified curve", 0);
118 errno = EIO;
119 return -1;
120 }
121
122 if (!(ecdh = EC_KEY_new_by_curve_name(nid))) {
123 tls_log_errors(1, "Couldn't create specified curve", 0);
124 errno = EIO;
125 return -1;
126 }
127
128 SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
129 SSL_CTX_set_tmp_ecdh(globals.ssl_ctx, ecdh);
130 EC_KEY_free(ecdh);
131
132 SSL_CTX_use_certificate_file(ws_globals.ssl_ctx, ws_globals.cert,
SSL_FILETYPE_PEM);
133 SSL_CTX_use_PrivateKey_file(ws_globals.ssl_ctx, ws_globals.key,
SSL_FILETYPE_PEM);
134
135
136 /* verify private key */
137 if ( !SSL_CTX_check_private_key(ws_globals.ssl_ctx) ) {
138 abort();
139 }
140 SSL_CTX_set_cipher_list(ws_globals.ssl_ctx,
"HIGH:!DSS:!aNULL at STRENGTH");
141
142 thread_setup();
143 }
2015-09-29 14:44 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
> Ill check it out! Thanks!
> El 29/09/2015 13:25, "Michael Jerris" <mike at jerris.com> escribió:
>
>> might need some more code to support the ecdh stuff like we had to for
>> dtls in this commit:
>>
>> 8e1b2eab7b162c02eb5fc8e4b30aab659a69e18f
>>
>> On Sep 29, 2015, at 1:45 PM, Victor Medina <victor.medina at cibersys.com>
>> wrote:
>>
>>
>> btw... I get this beautiful cipher on 5061:
>>
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>
>>
>>
>> 2015-09-29 13:10 GMT-04:30 Victor Medina <victor.medina at cibersys.com>:
>>
>>> Hi!
>>>
>>> Im starting to feel like this...
>>>
>>>
>>> http://herbookthoughts.reads-it.com/wp-content/uploads/2014/06/d6a1143f571184db25f94613edd43b40af6d3a629221aba00d9efdcfef5efd84.jpg
>>> =)
>>>
>>>
>>> I tried a few things to get ECDH or a DH Kx working on the wss, but
>>> wasn't able to get it working, Im only getting RSA Kx.
>>>
>>> On ws.c I tried substituting the SSLv23_server_method() with the newer
>>> TLSv1_server_method() (less compatible, I know) but I always get the same
>>> ciphers and none of them is ECDH or DH.
>>>
>>> I even tried disabling
>>>
>>> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv2);
>>> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv3);
>>> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1);
>>> SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_COMPRESSION);
>>>
>>> and played with SSL_CTX_set_cipher_list(ws_globals.ssl_ctx,
>>> "HIGH:!DSS:!aNULL at STRENGTH"); to see if I could get a different set of
>>> ciphers(I tried: EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
>>> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
>>> EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS 'cause its
>>> what my webserver uses) but always got the same results:
>>>
>>> using SSLSCAN: TLSv1 256 bits AES256-SHA
>>> using openssl s_client/debian 8: TLSv1.2 AES256-GCM-SHA384
>>>
>>> My vars.xml looks like:
>>>
>>> 404 <X-PRE-PROCESS cmd="set"
>>> data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
>>>
>>> 416 <X-PRE-PROCESS cmd="set"
>>> data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
>>>
>>>
>>>
>>> Time for a Jira bug fill?
>>>
>>> As usual thanks for everything
>>>
>>>
>>>
>>>
>>> 2015-09-29 10:20 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>>
>>>> No, its in the same file with ws.
>>>>
>>>> On Sep 29, 2015, at 10:16 AM, Victor Medina <victor.medina at cibersys.com>
>>>> wrote:
>>>>
>>>> Guys.
>>>>
>>>> WSS is implemented on tport_tls.c right?
>>>>
>>>> 2015-09-28 17:59 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>>>
>>>>> If this is something that is broken or will soon be, it really needs
>>>>> to be filed in jira or no one will be looking at it. If someone can work
>>>>> up a patch to fix this, that would be preferred.
>>>>>
>>>>> On Sep 28, 2015, at 6:09 PM, Victor Medina <victor.medina at cibersys.com>
>>>>> wrote:
>>>>>
>>>>> Michael.
>>>>> Im having a hard time trying to get development team to use verto
>>>>>
>>>>> They insist on using The whole sip over ws approach since they have to
>>>>> Support a ios app built using cordova and Some libraries that uses sipjs.
>>>>>
>>>>> My other concerns is that afaik browser will requiere pfs for
>>>>> signalling soon
>>>>>
>>>>> As always thanks for Help and guidance!
>>>>> El 28/09/2015 14:47, "Michael Jerris" <mike at jerris.com> escribió:
>>>>>
>>>>>> websocket proxy works with mod_verto fine.
>>>>>>
>>>>>> On Sep 27, 2015, at 8:56 AM, Victor Medina <
>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>
>>>>>> Silly question....
>>>>>>
>>>>>> Can I put Apache, doing websocket proxy infront of the WS-BINDIN (no
>>>>>> tls) and let apache handle all tls; or there is some work involved in the
>>>>>> Sip 2 Websocket that makes this not a recomended option?
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2015-09-25 14:45 GMT-04:30 Victor Medina <victor.medina at cibersys.com>
>>>>>> :
>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> Ill get a coffe! =)
>>>>>>>
>>>>>>> 2015-09-25 14:39 GMT-04:30 Michael Jerris <mike at jerris.com>:
>>>>>>>
>>>>>>>> there was a fix for ec in wss at some point, I'd confirm this part
>>>>>>>> isn't already fixed before you go too far
>>>>>>>>
>>>>>>>>
>>>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>
>>>>>>>>> Um....
>>>>>>>>>
>>>>>>>>> Thinking...
>>>>>>>>> Its a Debian 8, updated,
>>>>>>>>> The fs is master, not the latest though... it is master from just
>>>>>>>>> about the time before 1.6 stable... so I probably should update...
>>>>>>>>>
>>>>>>>>> Running sslscan on some machine:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:5061|grep
>>>>>>>>> Acce
>>>>>>>>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>>>>>>>>> Accepted TLSv1 256 bits AES256-SHA
>>>>>>>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>>>>>>>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>>>>>>>> Accepted TLSv1 128 bits AES128-SHA
>>>>>>>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>>>>>>>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>>>>>>>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>>>>>>> Authority Information Access:
>>>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 xxxxxxx:12443|grep
>>>>>>>>> Acce
>>>>>>>>> Accepted TLSv1 256 bits AES256-SHA
>>>>>>>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>>>>>>>> Accepted TLSv1 128 bits AES128-SHA
>>>>>>>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>>>>>>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>>>>>>> Authority Information Access:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Running the same test on a recent built of v1.6
>>>>>>>>> FreeSWITCH Version 1.6.0+git~20150903T203652Z~6762f14140~64bit
>>>>>>>>> (git 6762f14 2015-09-03 20:36:52Z 64bit)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:5061|grep
>>>>>>>>> Acce
>>>>>>>>> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
>>>>>>>>> Accepted TLSv1 256 bits AECDH-AES256-SHA
>>>>>>>>> Accepted TLSv1 256 bits AES256-SHA
>>>>>>>>> Accepted TLSv1 256 bits CAMELLIA256-SHA
>>>>>>>>> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>>>>>>>> Accepted TLSv1 128 bits AECDH-AES128-SHA
>>>>>>>>> Accepted TLSv1 128 bits AES128-SHA
>>>>>>>>> Accepted TLSv1 128 bits SEED-SHA
>>>>>>>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>>>>>>>> Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
>>>>>>>>> Accepted TLSv1 128 bits AECDH-RC4-SHA
>>>>>>>>> Accepted TLSv1 128 bits RC4-SHA
>>>>>>>>> Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
>>>>>>>>> Accepted TLSv1 112 bits AECDH-DES-CBC3-SHA
>>>>>>>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>>>>>>> root at vm-laptop:/home/vmedina# sslscan --tls1 10.0.1.180:7443|grep
>>>>>>>>> Acce
>>>>>>>>> Accepted TLSv1 256 bits AES256-SHA
>>>>>>>>> Accepted TLSv1 128 bits AES128-SHA
>>>>>>>>> Accepted TLSv1 128 bits CAMELLIA128-SHA
>>>>>>>>> Accepted TLSv1 112 bits DES-CBC3-SHA
>>>>>>>>>
>>>>>>>>> Why it does not accept any PFS/curve/ephimereal cipher on the WSS
>>>>>>>>> binding? Like: ECDHE-RSA-AES256-SHA, AECDH-AES256-SHA, ECDHE-RSA-AES128-SHA?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-09-25 13:30 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>>>>
>>>>>>>>>> Careful your distro may have disabled anything EC related.
>>>>>>>>>>
>>>>>>>>>> On Fri, Sep 25, 2015 at 9:18 AM, Victor Medina <
>>>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> First of all, thanks you and Good morning!.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Although I'm using:
>>>>>>>>>>>
>>>>>>>>>>> <param name="tls-version" value="tlsv1.2"/>
>>>>>>>>>>> <param name="tls-ciphers"
>>>>>>>>>>> value="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"/>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Im getting:
>>>>>>>>>>>
>>>>>>>>>>> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
>>>>>>>>>>> Server public key is 2048 bit
>>>>>>>>>>> Secure Renegotiation IS supported
>>>>>>>>>>> Compression: NONE
>>>>>>>>>>> Expansion: NONE
>>>>>>>>>>> SSL-Session:
>>>>>>>>>>> Protocol : TLSv1.2
>>>>>>>>>>> Cipher : AES256-GCM-SHA384
>>>>>>>>>>>
>>>>>>>>>>> Not bad, but not ECDHE.
>>>>>>>>>>>
>>>>>>>>>>> Compared to our web server:
>>>>>>>>>>>
>>>>>>>>>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>>> Server public key is 2048 bit
>>>>>>>>>>> Secure Renegotiation IS supported
>>>>>>>>>>> Compression: NONE
>>>>>>>>>>> Expansion: NONE
>>>>>>>>>>> SSL-Session:
>>>>>>>>>>> Protocol : TLSv1.2
>>>>>>>>>>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2015-09-25 9:29 GMT-04:30 Brian West <brian at freeswitch.org>:
>>>>>>>>>>>
>>>>>>>>>>>> tls-cipher param.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Friday, September 25, 2015, Victor Medina <
>>>>>>>>>>>> victor.medina at cibersys.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi guys!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is there any parameter that can configure what ciphers are
>>>>>>>>>>>>> used on the WSS interface?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Im am getting...
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> WSS interface:
>>>>>>>>>>>>> SSL-Session:
>>>>>>>>>>>>> Protocol : TLSv1.2
>>>>>>>>>>>>> Cipher : AES256-GCM-SHA384
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> SIP interface, same channel:
>>>>>>>>>>>>> Expansion: NONE
>>>>>>>>>>>>> SSL-Session:
>>>>>>>>>>>>> Protocol : TLSv1.2
>>>>>>>>>>>>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> Víctor E. Medina M.
>>> Platform Architect / Chief Infrastructure
>>> +58424 291 4561
>>> BB #79A8AFA2
>>> @VMCibersys
>>>
>>>
>>
>>
>> --
>>
>>
>>
>> Víctor E. Medina M.
>> Platform Architect / Chief Infrastructure
>> +58424 291 4561
>> BB #79A8AFA2
>> @VMCibersys
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
--
Víctor E. Medina M.
Platform Architect / Chief Infrastructure
+58424 291 4561
BB #79A8AFA2
@VMCibersys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150930/48b3fdc1/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list