[OpenSIPS-Users] Include ECDHE cipher suites in TLS

Ali Alawi goatolina at gmail.com
Wed Jan 22 17:08:10 EST 2020


Dear Callum,
Thanks a lot. it help me to establish a TLS connection with ECDH suite. but
I used my own certificate.pem rather than the one you mentioned sip.crt.
Actually, I couldn't figure out from where I can get this kind of .crt
files.

On Mon, Jan 20, 2020 at 11:49 AM Callum Guy <callum.guy at x-on.co.uk> wrote:

> Hi Ali,
>
> You'll need to setup your cipher list and DH file. You can generate a DH
> param file like this: *openssl dhparam -out dhparam.pem 4096*
>
> If you want to review locally available cipher suites you can run: *openssl
> ciphers -v*
>
> The OpenSIPs documentation clarifies the module configuration options
> however the following setup will provide a set of strong ciphers and maybe
> you can pick from this to add to your existing config to get things working.
>
> modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")
> modparam("tls_mgm", "ec_curve", "secp384r1")
> modparam("tls_mgm", "ciphers_list",
> "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")
> modparam("tls_mgm", "verify_cert", "1")
> modparam("tls_mgm", "require_cert", "1")
> modparam("tls_mgm", "tls_method", "TLSv1_2")
> modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/sip.crt")
> modparam("tls_mgm", "private_key", "/etc/pki/tls/private/sip.key")
> modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")
> modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")
>
> Good luck,
>
> Callum
>
> On Sat, 18 Jan 2020 at 20:32, Ali Alawi <goatolina at gmail.com> wrote:
>
>> Hello every one.
>> I am trying to test TLS in OpenSIPS 2.4, the testing is going fine but it
>> only support certain cipher suite methods such as (
>>
>> AES256-GCM-SHA384,AES256-SHA256,AES256-SHA,CAMELLIA256-SHA,AES128-SHA,SEED-SHA,CAMELLIA128-SHA,RC4-SHA,DES-CBC3-SHA
>> )
>> For some reason, I need to use ECDHE cipher suites but it is unsupported
>> here.
>> How can I include ECDHE in my TLS test?
>> BTW, I am using OpenSSL 1.0.2g
>>
>> ALi
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
>
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200123/60605507/attachment.html>


More information about the Users mailing list