Kamailio module tls
Jump to navigation Jump to search
Kamailio's TLS 모듈 내용 정리.
The TLS(Transport Layer Security) module in Kamailio enables secure communication between SIP clients and servers using the TLS protocol.
When configuring the TLS module in Kamailio, user has the option to specify the cipher suites that will be used for securing the communication. Cipher suites are sets of cryptographic algorithms used for encryption, authentication, and key exchange during the TLS handshake process.
Kamailio's TLS module supports various cipher suites, and the user can define the desired cipher list in the Kamailio configuration file. The cipher list determines the order and preference of cipher suites that Kamailio will negotiate with the connecting clients.
- Default Cipher List
- The default cipher list used by Kamailio's TLS module is determined by the underlying TLS library(such as OpenSSL). It usually includes a broad range of cipher suites, prioritizing security and compatibility. The default cipher list can be overridden in the Kamailio configuration file.
- Custom Cipher List
- User can define a custom cipher list in the Kamailio configuration file by setting the 'tls_ciphers' parameter. The cipher list should be a space-separated list of cipher suite names or aliases.
modparam("tls", "tls_ciphers", "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256")
- In this example, the custom cipher list includes 3 cipher suites: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256. Kamailio will attempt to negotiate these cipher suites in the specified order.
- Restricting Cipher Suites
- If user wants to restrict the available cipher suites to a specific subset, user can define an explicit cipher list. This can be useful for enforcing stronger security measures or ensuring compatibility with specific requirements.
modparam("tls", "tls_ciphers", "HIGH:!aNULL:!MD5:!RC4")
- In this example, the cipher list restrict the available cipher suites to those considered to have high security strength and excludes certain weak or deprecated algorithms, such as 'aNULL'(no authentication), 'MD5', and 'RC4'.