Open calvet27 opened 5 months ago
Hi,
Same problem here. I have a drachtio server running with TLS and want to configure the cipher suites offered by drachtio. Would be this possible?
I have tried a workaround by overriding the openssl configuration at OS level and I see my changes applied (bash: openssl ciphers) but looks like drachtio is using a different SSL implementation or at least ignoring this configuration and using its own ciphers.
The reason why I want to configure this is that I have pentested the connection with a security tool (https://github.com/drwetter/testssl.sh) and found the same issue reported by @calvet27
I also noticed this but it's not a vulnerability:
To illustrate the use case, we have solved similar issues with Asterisk and Kamailio through configuration parameters. As an example:
Asterisk SIP configuration (https://github.com/asterisk/asterisk/blob/18/configs/samples/sip.conf.sample)
Kamailio TLS configuration (https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.cipher_list):
Thanks in advance for any help or guidance on this.
Kind regards, Antonio.
@amateope
I think that Drachtio SIP server
uses OpenSSL
1.1.1n.
But it does not have CBC
as a cipher string.
According to my reseach, From OpenSSL
3.0, That versions have CBC
as a cipher string.
So that means, It's impossible to configure directly to disable CBC
.
As an alternative way,
We can modify sources of OpenSSL
1.1.1n to disable crypto suites using CBC
.
It needs changing the location for openssl.cnf
first, For example:
# ./Configure linux-x86_64 no-seed no-camellia --openssldir=/usr/lib/ssl
Find crypto suites using CBC manually, For example:
# grep -r TLS_RSA_WITH_AES_256_CBC_SHA
Check the state of the crypto suite in the files both include/openssl/tls1.h
and ssl/s3_lib.c
.
Set defined value to 0 to disable the crypto suite.
Repeat this setting for each crypto suite.
Compile OpenSSL and have some test with nmap
commands:
# nmap -p 5061 --script ssl-enum-ciphers localhost | grep CBC
The above alternative is somewhat inconvenient and does not facilitate version management. I need another simpler way
Hi,
I had a vulnerability test with OpenVAS on TLS connection. But I've got the message like below:
That means CBC(Cipher Block Chaining) mode is not blocked by Drachtio SIP Server. Is there any solution for this issue?