Is there a recommended TLS Cipher?

Is there a recommended TLS Cipher? Or a “best cipher”? Or “optimal cipher”?
Thanks! :slight_smile:

Funny you should ask. I’m running a sip client using let’sencrypt certificates. They build 4 files. privkey.pem, chain.pem, fullchain.pem, and 1 named simply “cert.pem”. The asterisk wiki is woefully inadequate about telling what files to use with asterisk / pjsip. I figured out that “priv_key_file=” gets privkey.pem. But I find conflicting information about whether “cert_file” gets “fullchain.pem” or “chain.pem” or maybe “cert.pem”? The only 1 I’ve been able to make work is “fullchain.pem”. At any rate, the “cipher=” directive must be left out completely or tls does not work! (The cipher list is too large to guess) Anyone have any guidance?

1 Like

That’s a moving target, depending on which ciphers are currently believed compromised, or to require too little time to break by brute force. It’s not something that is specific to Asterisk, and not something that I am up to date on, but you should look at the general computer security world, and moderate it by the intersection of the ciphers supported by the phones and by Asterisk.

It will depend on how much of the chain the client already knows. I can’t see why always giving full chain wouldn’t work.

1 Like

So overly strong ciphers do not adversely effect Asterisk?
I am I understanding you correctly?
I am looking for Asterisk’s “optimal cipher suite”, from the Asterisk point of view.
I am not equating Optimal with Strongest.

Thanks again! :slight_smile:

Asterisk doesn’t care. Things connecting to it may care, if they don’t support them, such as older SIP devices.

1 Like

Thank you. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.