[OpenSIPS-Users] Include ECDHE cipher suites in TLS

Callum Guy callum.guy at x-on.co.uk
Thu Jan 23 03:12:41 EST 2020 

Hi Ali,

Glad the suggestions were helpful.

The certificate is just a regular SSL cert, in PEM format just with a
different file extension. Depending on your implementation you might want
to look into public verifiable certificates (if you're public facing) -
available for free if you want to check out a service like
https://letsencrypt.org/.

Callum


On Wed, 22 Jan 2020 at 22:09, Ali Alawi <goatolina at gmail.com> wrote:

> Dear Callum,
> Thanks a lot. it help me to establish a TLS connection with ECDH suite.
> but I used my own certificate.pem rather than the one you mentioned
> sip.crt. Actually, I couldn't figure out from where I can get this kind of
> .crt files.
>
> On Mon, Jan 20, 2020 at 11:49 AM Callum Guy <callum.guy at x-on.co.uk> wrote:
>
>> Hi Ali,
>>
>> You'll need to setup your cipher list and DH file. You can generate a DH
>> param file like this: *openssl dhparam -out dhparam.pem 4096*
>>
>> If you want to review locally available cipher suites you can run: *openssl
>> ciphers -v*
>>
>> The OpenSIPs documentation clarifies the module configuration options
>> however the following setup will provide a set of strong ciphers and maybe
>> you can pick from this to add to your existing config to get things working.
>>
>> modparam("tls_mgm", "dh_params", "/etc/pki/tls/certs/dhparam.pem")
>> modparam("tls_mgm", "ec_curve", "secp384r1")
>> modparam("tls_mgm", "ciphers_list",
>> "EECDH+AESGCM,EDH+AESGCM,AES256+EECDH,AES256+EDH")
>> modparam("tls_mgm", "verify_cert", "1")
>> modparam("tls_mgm", "require_cert", "1")
>> modparam("tls_mgm", "tls_method", "TLSv1_2")
>> modparam("tls_mgm", "certificate", "/etc/pki/tls/certs/sip.crt")
>> modparam("tls_mgm", "private_key", "/etc/pki/tls/private/sip.key")
>> modparam("tls_mgm", "ca_list", "/etc/pki/tls/certs/ca-bundle.crt")
>> modparam("tls_mgm", "ca_dir", "/etc/pki/tls/certs/")
>>
>> Good luck,
>>
>> Callum
>>
>> On Sat, 18 Jan 2020 at 20:32, Ali Alawi <goatolina at gmail.com> wrote:
>>
>>> Hello every one.
>>> I am trying to test TLS in OpenSIPS 2.4, the testing is going fine but
>>> it only support certain cipher suite methods such as (
>>>
>>> AES256-GCM-SHA384,AES256-SHA256,AES256-SHA,CAMELLIA256-SHA,AES128-SHA,SEED-SHA,CAMELLIA128-SHA,RC4-SHA,DES-CBC3-SHA
>>> )
>>> For some reason, I need to use ECDHE cipher suites but it is unsupported
>>> here.
>>> How can I include ECDHE in my TLS test?
>>> BTW, I am using OpenSSL 1.0.2g
>>>
>>> ALi
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>
>>
>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
>> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>>   <https://twitter.com/xonuk> *
>>
>> X-on is a trading name of Storacall Technology Ltd a limited company
>> registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> The information in this e-mail is confidential and for use by the
>> addressee(s) only. If you are not the intended recipient, please notify
>> X-on immediately on +44(0)333 332 0000 and delete the
>> message from your computer. If you are not a named addressee you must not
>> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
>> or opinions expressed by an individual
>> within this email may not necessarily reflect the views of X-on or its
>> associated companies. Although X-on routinely screens for viruses,
>> addressees should scan this email and any attachments
>> for viruses. X-on makes no representation or warranty as to the absence
>> of viruses in this email or any attachments.
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

-- 





*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> *


X-on
is a trading name of Storacall 
Technology Ltd a limited company registered in
England and Wales.


Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead,
Herts, HP3 9SD. Company Registration No. 2578478.

The 
information in this e-mail is confidential and for use by the addressee(s)

only. If you are not the intended recipient, please notify X-on immediately 
on +44(0)333 332 0000 and delete the
message from your computer. If you are 
not a named addressee you must not use,
disclose, disseminate, distribute, 
copy, print or reply to this email. Views
or opinions expressed by an 
individual
within this email may not necessarily
reflect the views of X-on 
or its associated companies. Although X-on routinely
screens for viruses, 
addressees should scan this email and any attachments
for
viruses. X-on 
makes no representation or warranty as to the absence of viruses
in this 
email or any attachments.










-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200123/3f400bc8/attachment.html>

More information about the Users mailing list