[OpenSIPS-Users] Include ECDHE cipher suites in TLS

[Ali Alawi]

HI Callum,

Currently I stuck with PEM certificates because my configuration is for
testing only (not productive). One last thing to check with you, I am
unable to use 1_2 version in my opensips. Actually, opensips restarted
without error but I am unable to perform handshake.

Regards,

On Thu, Jan 23, 2020 at 11:15 AM Callum Guy <callum.guy at x-on.co.uk> wrote:

> Hi Ali,
>
> Glad the suggestions were helpful.
>
> The certificate is just a regular SSL cert, in PEM format just with a
> different file extension. Depending on your implementation you might want
> to look into public verifiable certificates (if you're public facing) -
> available for free if you want to check out a service like
> https://letsencrypt.org/.
>
> Callum
>
>
> On Wed, 22 Jan 2020 at 22:09, Ali Alawi <goatolina at gmail.com> wrote:
>
>> Dear Callum,
>> Thanks a lot. it help me to establish a TLS connection with ECDH suite.
>> but I used my own certificate.pem rather than the one you mentioned
>> sip.crt. Actually, I couldn't figure out from where I can get this kind of
>> .crt files.
>>
>> On Mon, Jan 20, 2020 at 11:49 AM Callum Guy <callum.guy at x-on.co.uk>
>> wrote:
>>
>>> Hi Ali,
>>>
>>> You'll need to setup your cipher list and DH file. You can generate a DH
>>> param file like this: *openssl dhparam -out dhparam.pem 4096*
>>>
>>> If you want to review locally available cipher suites you can run: *openssl
>>> ciphers -v*
>>>
>>> The OpenSIPs documentation clarifies the module configuration options
>>> however the following setup will provide a set of strong ciphers and maybe
>>> you can pick from this to add to your existing config to get things working.
>>>
>>> modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")
>>> modparam("tls_mgm", "ec_curve", "secp384r1")
>>> modparam("tls_mgm", "ciphers_list",
>>> "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")
>>> modparam("tls_mgm", "verify_cert", "1")
>>> modparam("tls_mgm", "require_cert", "1")
>>> modparam("tls_mgm", "tls_method", "TLSv1_2")
>>> modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/sip.crt")
>>> modparam("tls_mgm", "private_key", "/etc/pki/tls/private/sip.key")
>>> modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")
>>> modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")
>>>
>>> Good luck,
>>>
>>> Callum
>>>
>>> On Sat, 18 Jan 2020 at 20:32, Ali Alawi <goatolina at gmail.com> wrote:
>>>
>>>> Hello every one.
>>>> I am trying to test TLS in OpenSIPS 2.4, the testing is going fine but
>>>> it only support certain cipher suite methods such as (
>>>>
>>>> AES256-GCM-SHA384,AES256-SHA256,AES256-SHA,CAMELLIA256-SHA,AES128-SHA,SEED-SHA,CAMELLIA128-SHA,RC4-SHA,DES-CBC3-SHA
>>>> )
>>>> For some reason, I need to use ECDHE cipher suites but it is
>>>> unsupported here.
>>>> How can I include ECDHE in my TLS test?
>>>> BTW, I am using OpenSSL 1.0.2g
>>>>
>>>> ALi
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>
>>>
>>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
>>> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>>>   <https://twitter.com/xonuk> *
>>>
>>> X-on is a trading name of Storacall Technology Ltd a limited company
>>> registered in England and Wales.
>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>>> The information in this e-mail is confidential and for use by the
>>> addressee(s) only. If you are not the intended recipient, please notify
>>> X-on immediately on +44(0)333 332 0000 and delete the
>>> message from your computer. If you are not a named addressee you must
>>> not use, disclose, disseminate, distribute, copy, print or reply to this
>>> email. Views or opinions expressed by an individual
>>> within this email may not necessarily reflect the views of X-on or its
>>> associated companies. Although X-on routinely screens for viruses,
>>> addressees should scan this email and any attachments
>>> for viruses. X-on makes no representation or warranty as to the absence
>>> of viruses in this email or any attachments.
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
>
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200126/bfdced13/attachment.html>