Description
Hello,
any way to get TLSv1.3 only on Flexisip ?
with tls-ciphers=TLSv1.3:!TLSv1.2:HIGH:!SSLv2:!SSLv3:!EXP:!ADH:!RC4:!3DES:!aNULL:!eNULL
it does not even start and crash .
But openssl s_client -connect poc.mydomain.com:2222 -CAfile tls/fullchain_with_cert.pem
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = poc.mydomain.com
verify return:1
Certificate chain
0 s:CN = poc.mydomain.com
i:C = US, O = Let's Encrypt, CN = E6
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Sep 9 10:48:06 2024 GMT; NotAfter: Dec 8 10:48:05 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = E6
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
2 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 4 11:04:38 2015 GMT; NotAfter: Jun 4 11:04:38 2035 GMT
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhTCCAwqgAwIBAgISBN9GAY714tpcI+YPhheQE9bIMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDA5MDkxMDQ4MDZaFw0yNDEyMDgxMDQ4MDVaMB0xGzAZBgNVBAMTEnBv
Yy5xdWFudGVsY29tLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJcMwBuY
aJkW3rnvKp4RWdsz0wCtdkU33aDC4dnGOvqeJvXRcYRx4dBroNGU831csW5/1s7i
PrAIpMGzqJ7VjbKjggITMIICDzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAdCnjzo
eL93D3HT8Oy+QM9+UXttMB8GA1UdIwQYMBaAFJMnRpgDqVFojpjWxEJI2yO/WJTS
MFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2U2Lm8ubGVuY3Iu
b3JnMCIGCCsGAQUFBzAChhZodHRwOi8vZTYuaS5sZW5jci5vcmcvMB0GA1UdEQQW
MBSCEnBvYy5xdWFudGVsY29tLmNvbTATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMG
CisGAQQB1nkCBAIEgfQEgfEA7wB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/
KIXs+GRuAAABkdabcPoAAAQDAEcwRQIgHP0L340kV+dkH9IjxhhkUUcqCo6dbFTd
MS9c5qrWw/cCIQCLIWtZf6gHXHLWpIhU8v7BiQh7mtynkMdieDpEkIaV+AB1AHb/
iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABkdabcScAAAQDAEYwRAIg
BWhaxE7po8evLP0RGUezA7MBs3MdGQKLQoizXOVTCJ8CIHxpt033DkFk5UtxJnD1
AB+Y59fbcNUTnXz7RvjRiLkpMAoGCCqGSM49BAMDA2kAMGYCMQCZwNuuFctf94zZ
KuGO8b4yD5TaLGSLDD7IDvEGVYJfnMU7pzUaN8SurRZw6E1EE60CMQC331aTFPfw
PUxv6+cif5VHhqDxPgjmlTzAnv/L7ZCMzVUg6OqokLsJAvoWPXgWBDM=
-----END CERTIFICATE-----
subject=CN = poc.mydomain.com
issuer=C = US, O = Let's Encrypt, CN = E6
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
SSL handshake has read 5103 bytes and written 402 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F5749BF440B8ED789D401D6CDB0F8ADB17D8CA3B7F7E0869B4C4608621F27FB5
Session-ID-ctx:
Resumption PSK: 9E599DDD8462D92B998D16836A33731149C0CFEEA4D4E953DCCB9884166C4BD3C3DC87B2DD85982DC733BC59FB331368
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - e0 0a ed d5 c9 b7 4b 94-ee 70 d7 2f 13 6a f8 35 ......K..p./.j.5
0010 - d3 c0 2d ec 2e db d0 f4-de 31 b6 48 ca 70 e3 1a ..-......1.H.p..
0020 - 1e 06 8c a0 e5 fb 3f 80-35 4b e0 a1 5c 9c 98 94 ......?.5K.....
0030 - bf 4f b2 45 9f eb b3 88-9b bc b3 56 d7 83 3c c6 .O.E.......V..<.
0040 - eb 0f fe 55 f2 a4 f6 06-0c f5 92 ea 01 45 b5 08 ...U.........E..
0050 - 48 dd ff 88 05 5c 93 92-3b 89 d1 5f a1 df ca 37 H......;.._...7
0060 - a7 b5 ad 94 d9 ee 20 3c-c6 37 39 47 ec 71 67 03 ...... <.79G.qg.
0070 - ff 98 90 6c 0c f5 76 97-a1 12 a8 e7 3a 94 a2 e0 ...l..v.....:...
0080 - 69 02 31 dd 79 c3 66 8d-90 b5 fc d5 3f fc 60 69 i.1.y.f.....?.`i
0090 - b3 9c e9 59 0d fb 06 36-ef 78 06 fe 0b fe 33 7a ...Y...6.x....3z
00a0 - 95 1c 77 8d 30 56 ad 67-a9 93 4f e2 87 2f b7 4c ..w.0V.g..O../.L
00b0 - 70 6c f3 7c 94 b3 1f 2b-27 7e 9d d5 24 f9 47 aa pl.|...+'~..$.G.
00c0 - 38 8c e3 b8 59 c0 66 b5-1c f0 85 83 f8 27 89 d3 8...Y.f......'..
00d0 - 00 c7 5c 8e 2f 4b 1f 5a-11 00 95 b6 03 18 41 d7 .../K.Z......A.
00e0 - ae 19 65 c4 79 82 86 cd-54 96 7c c9 45 ff f8 86 ..e.y...T.|.E...
Start Time: 1725908579
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
read R BLOCK
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 4F9C0189E8C0EB95A873AB2D5EFC44D20D039865B9AE009AEB75ED8B025E148F
Session-ID-ctx:
Resumption PSK: 31747B6FEB754D2294192E86F4D5F04626A1FD17F684FD1B0607052DD1C327643472781BEB75C6BE6B597676FB540A9E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - e0 0a ed d5 c9 b7 4b 94-ee 70 d7 2f 13 6a f8 35 ......K..p./.j.5
0010 - 3a ca 0c 67 f9 07 5d e5-55 65 7f d2 f5 a0 95 fe :..g..].Ue......
0020 - bd 9d a4 93 a9 64 d4 59-34 1d 8e c1 78 e9 27 c9 .....d.Y4...x.'.
0030 - fe 1d 42 1f d7 c2 47 8b-bb 13 6a 71 5b ae 25 a2 ..B...G...jq[.%.
0040 - 07 e6 4b 4e 41 c9 ef 26-97 db ed b0 80 94 04 7a ..KNA..&.......z
0050 - ac d3 a3 56 6a f2 3b fa-05 85 87 09 74 6e 44 1e ...Vj.;.....tnD.
0060 - 15 8a 5f cb c8 67 2c 6c-b5 b6 b6 ce 5b da 44 9e .._..g,l....[.D.
0070 - ad 36 00 c0 99 2c f9 c4-73 cd 80 39 3c f8 d6 57 .6...,..s..9<..W
0080 - 85 82 f5 c5 25 0f af 66-1f 75 e3 d9 9a 0f 6a 7c ....%..f.u....j|
0090 - a1 7b 17 eb d5 eb e5 ec-07 4f 21 0c 39 71 e7 50 .{.......O!.9q.P
00a0 - 57 7f a2 14 fc 92 bb cd-e3 12 ce 22 63 cb d7 94 W.........."c...
00b0 - 3d f2 ee cf 27 a2 aa 58-25 ee c0 80 4f 51 42 f1 =...'..X%...OQB.
00c0 - 24 f7 d9 ce 96 2f bd 04-1a ae b3 43 69 03 f1 f5 $..../.....Ci...
00d0 - 7c c0 68 c0 99 81 06 a3-04 fb 8d d1 6e 8d c4 5a |.h.........n..Z
00e0 - 93 bf 40 c8 70 91 80 50-80 9b 08 36 f2 a5 32 aa [email protected]..P...6..2.
Start Time: 1725908579
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
read R BLOCK
Just want to use TLS v1.3 only