[OpenSIPS-Users] Opensips 2.4.4 not supporting certain ciphers

Karumudi, Bhanu Bhanu.Karumudi at ipc.com
Thu Feb 9 14:30:23 UTC 2023 

https://github.com/OpenSIPS/opensips/issues/3006

Hi All,

            We are facing below basic issues and would like to hear if we are missing something very basic. Any help would be greatly appreciated.

                After updating the cipher list to a shorter list we are seeing "no shared cipher" error though actually there is a shared cipher.
                Would it be because those ciphers are not supported?

New list of ciphers used:
modparam("tls_mgm", "ciphers_list", "ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384" )

Error log: Log:
2023-02-01T14:26:58.451-05:00 [local2] [err] bhanu-mm-168 /usr/sbin/opensipsInternal[22800]: ERROR:proto_tls:tls_accept: New TLS connection from 10.207.232.70:58312 failed to accept
2023-02-01T14:26:58.451-05:00 [local2] [err] bhanu-mm-168 /usr/sbin/opensipsInternal[22800]: ERROR:proto_tls:tls_print_errstack: TLS errstack: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
2023-02-01T14:26:58.452-05:00 [local2] [err] bhanu-mm-168 /usr/sbin/opensipsInternal[22800]: ERROR:proto_tls:tls_read_req: failed to do pre-tls reading

            Attached pcaps with failed case.

            Working case cipher used:
            ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES128-GCM-SHA256,AES128-GCM-SHA256,ECDHE-RSA-AES128-SHA256,AES128-SHA256,EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-SHA256,DHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA,!ECDHE-RSA-DES-CBC3-SHA,!EDH-RSA-DES-CBC3-SHA,AES256-GCM-SHA384,AES256-SHA256,AES256-SHA,AES128-SHA,!DES-CBC3-SHA,HIGH,!aNULL,!eNULL,!EXPORT,!DES,!MD5,!PSK,!RC4

                This Cipher(TLS_RSA_WITH_AES_128_GCM_SHA256) is selected for negotation.

            Attached pcaps with good case with large list of ciphers

            Does 2.4.4 supports a limited list of ciphers?


Regards,
Bhanu
____________________________________________________________
INFORMATION CLASSIFICATION: IPC CONFIDENTIAL

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230209/4bd590d3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Failed case with 4 ciphers.pcap
Type: application/octet-stream
Size: 246085 bytes
Desc: Failed case with 4 ciphers.pcap
URL: <http://lists.opensips.org/pipermail/users/attachments/20230209/4bd590d3/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Successful case with large cipher list.pcap
Type: application/octet-stream
Size: 2465971 bytes
Desc: Successful case with large cipher list.pcap
URL: <http://lists.opensips.org/pipermail/users/attachments/20230209/4bd590d3/attachment-0003.obj>

More information about the Users mailing list