[jitsi-dev] tls/ssl version and ciphers list


#1

Hello,

is there any way to know (or set) the ciphers list to be used by jitsi when connecting over tls?

I get the no shared cipher error when connection to a server built with latest libssl 1.0.0g:

SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Also, if I try to require tlsv1 (on server side), the connection fails, any way to configure the ssl protocol version in jitsi?

Thanks,
Daniel

···

--
Daniel-Constantin Mierla -- http://www.asipto.com
http://linkedin.com/in/miconda -- http://twitter.com/miconda


#2

Hey

is there any way to know (or set) the ciphers list to be used by jitsi
when connecting over tls?

The list of ciphers is not (yet?) configurable. The active ciphers are
- TLS_RSA_WITH_AES_128_CBC_SHA
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DH_anon_WITH_AES_128_CBC_SHA
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

These are set by the JAIN-SIP stack and there is a reference to RFC3261, so
I'm not sure if Jitsi is supposed to change them. I'll investigate that.

I get the no shared cipher error when connection to a server built with
latest libssl 1.0.0g:

SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Also, if I try to require tlsv1 (on server side), the connection fails,
any way to configure the ssl protocol version in jitsi?

This is possible since nightly-build 3912: Tools -> Options -> Advanced ->
SIP -> Enabled SSL/TLS Protocols.
Possible options to enter there are SSLv3, TLSv1 and SSLv2Hello. Multiple
options can be specified by separating them with a comma. By default, the
default protocols of the JavaVM are used (all three for Java < 1.7 and
SSLv3, TLSv1 for Java >= 1.7).

Thanks,
Daniel

Regards,
Ingo


#3

Hey again

is there any way to know (or set) the ciphers list to be used by jitsi
when connecting over tls?

The list of ciphers is not (yet?) configurable. The active ciphers are
- TLS_RSA_WITH_AES_128_CBC_SHA
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DH_anon_WITH_AES_128_CBC_SHA
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

These are set by the JAIN-SIP stack and there is a reference to RFC3261,

so

I'm not sure if Jitsi is supposed to change them. I'll investigate that.

I have to correct myself: The above list is only for Jitsi's Server-Sockets,
e.g. when a registrarless SIP account is using TLS. The list of ciphers
being used for client sockets really is Java's default:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

RFC3261 mandates the availability of TLS_RSA_WITH_AES_128_CBC_SHA on SIP
servers, which is among the above list. Therefore I currently don't see the
point of modifying the list of supported ciphers from within Jitsi.
If you have a cipher-suite mismatch, you should probably take a second look
at the configuration of your server and make sure that at least
TLS_RSA_WITH_AES_128_CBC_SHA is available.

I get the no shared cipher error when connection to a server built with
latest libssl 1.0.0g:

SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Also, if I try to require tlsv1 (on server side), the connection fails,
any way to configure the ssl protocol version in jitsi?

This is possible since nightly-build 3912: Tools -> Options -> Advanced ->
SIP -> Enabled SSL/TLS Protocols.
Possible options to enter there are SSLv3, TLSv1 and SSLv2Hello. Multiple
options can be specified by separating them with a comma. By default, the
default protocols of the JavaVM are used (all three for Java < 1.7 and
SSLv3, TLSv1 for Java >= 1.7).

I simplified the UI to select the protocols, you can now just tick some
checkboxes (on the same configuration page).

Thanks,
Daniel

Regards,
Ingo