OpenSSL cipher usage

705 views
Skip to first unread message

Chuck Chaney

unread,
Jan 3, 2014, 3:51:47 PM1/3/14
to turn-server-project...@googlegroups.com
Hello,

I'm having a problem setting the ciphers to be used and admit that I am not too experienced in this area. I just checked using turnserver v3.2.1.0. Any attempt to use different ciphers seem to continue using the default  settings.

Configuring the cipher-list in the turnserver.conf and restarting, the log file shows the configured cipher string. When I run a test program (TestSSLServer.jar) against the turnserver listener the ciphers are not what I expected.

Default as in turnserver.conf:
#cipher-list="ALL:eNULL:aNULL:NULL"

My configuration attempt (Example):
cipher-list="ALL:!eNULL:!aNULL:!TLSv1.2"

TestSSLServer output:
Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv3
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_DES_CBC_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     DHE_RSA_WITH_DES_CBC_SHA
     DHE_RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_256_CBC_SHA
     DHE_RSA_WITH_AES_256_CBC_SHA
     RSA_WITH_CAMELLIA_128_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
     RSA_WITH_CAMELLIA_256_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
     TLS_RSA_WITH_SEED_CBC_SHA
     TLS_DHE_RSA_WITH_SEED_CBC_SHA
     TLS_ECDHE_RSA_WITH_RC4_128_SHA
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  (TLSv1.0: idem)
  (TLSv1.1: idem)
  TLSv1.2
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_DES_CBC_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     DHE_RSA_WITH_DES_CBC_SHA
     DHE_RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_256_CBC_SHA
     DHE_RSA_WITH_AES_256_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA256
     RSA_WITH_AES_256_CBC_SHA256
     RSA_WITH_CAMELLIA_128_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA256
     DHE_RSA_WITH_AES_256_CBC_SHA256
     RSA_WITH_CAMELLIA_256_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
     TLS_RSA_WITH_SEED_CBC_SHA
     TLS_DHE_RSA_WITH_SEED_CBC_SHA
     TLS_RSA_WITH_AES_128_GCM_SHA256
     TLS_RSA_WITH_AES_256_GCM_SHA384
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
     TLS_ECDHE_RSA_WITH_RC4_128_SHA
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
  ...
----------------------
Minimal encryption strength:     medium encryption (56-bit)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected

Maybe someone can point me in the right direction as to my problem?

Thanks in advance
Chuck

Oleg Moskalenko

unread,
Jan 3, 2014, 6:00:22 PM1/3/14
to turn-server-project...@googlegroups.com
The TURN server just passes the cipher-list to the OpenSSL library. So it must follow the OpenSSL rules.

Brian Stadler

unread,
Jan 17, 2014, 9:30:24 PM1/17/14
to turn-server-project...@googlegroups.com
Is there anyway to disable certain SSL protocols within the turnserver?  We want to disable the SSLv3 protocol and leave TLSv1.x enabled.   We cant't pass the "!SSLv3" option in the cipher list command since openssl considers all ciphers for TLSv1 and SSLv3 to belong to the same group.  Hence, if we attempt to disable SSLv3 then TLSv1.0 is also disabled.


Apache has a similar setup where you can define the protocols and ciphers separately.

Example:
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH


Brian

Oleg Moskalenko

unread,
Jan 17, 2014, 9:38:23 PM1/17/14
to Brian Stadler, turn-server-project...@googlegroups.com
File an issue in the project issues page, and we will add this feature to the next release.

Currently it is hardcoded that all protocols are enabled, you can only play with the cipher lists. That's not difficult to implement.

Oleg


--
You received this message because you are subscribed to the Google Groups "TURN Server project rfc5766-turn-server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/groups/opt_out.

Oleg Moskalenko

unread,
Jan 21, 2014, 6:59:49 AM1/21/14
to turn-server-project...@googlegroups.com
Brian, you can get the version 3.2.2.1, it has this feature.

Oleg
Reply all
Reply to author
Forward
0 new messages