[asterisk-bugs] [JIRA] (ASTERISK-29017) pjsip: As of 2.9 with newer OpenSSL "tlsv1" method is TLSv1.3 only
Joshua C. Colp (JIRA)
noreply at issues.asterisk.org
Mon Aug 3 06:35:43 CDT 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-29017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251583#comment-251583 ]
Joshua C. Colp commented on ASTERISK-29017:
-------------------------------------------
This does not appear to be a recent change. It occurs going from Asterisk 16.4.0 to 16.5.0, which is when PJSIP was upgraded from 2.8 to 2.9. I think there is an interaction in PJSIP between the default "tlsv1" option and OpenSSL where it is becoming TLSv1.3 only. In fact, that version of PJSIP doesn't even have any knowledge of TLSv1.3 in itself.
> pjsip: As of 2.9 with newer OpenSSL "tlsv1" method is TLSv1.3 only
> ------------------------------------------------------------------
>
> Key: ASTERISK-29017
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29017
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: pjproject/pjsip
> Affects Versions: 16.10.0, 16.12.0
> Environment: Debian Unstable (sid)
> Reporter: Bernhard Schmidt
>
> Originally reported to Debian in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966636 .
> After upgrading from Asterisk 16.2.1 to Asterisk 16.10.0 the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration (method= not set or set to "default")
> {noformat}
> [transport-tls]
> type=transport
> protocol=tls
> bind=0.0.0.0
> cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> priv_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> ;cipher=ADH-AES256-SHA,ADH-AES128-SHA
> ;method=tlsv1
> {noformat}
> {noformat}
> [Jul 31 21:48:23] WARNING[4288] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <337678594> <SSL routines-tls_early_post_process_client_hello-unsupported protocol> len: 0 peer: 127.0.0.1:49478 }}}
> {noformat}
> Workaround is setting
> {noformat}
> method=tlsv1_2
> {noformat}
> which appears to accept both TLSv1.2 and TLSv1.3 connections.
> I have quickly spun up a test package with Asterisk 16.12.0 which shows the same symptoms
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list