[asterisk-bugs] [JIRA] (ASTERISK-29017) pjsip enforces TLSv1.3 in default configuration
Bernhard Schmidt (JIRA)
noreply at issues.asterisk.org
Fri Jul 31 16:56:43 CDT 2020
Bernhard Schmidt created ASTERISK-29017:
-------------------------------------------
Summary: pjsip enforces TLSv1.3 in default configuration
Key: ASTERISK-29017
URL: https://issues.asterisk.org/jira/browse/ASTERISK-29017
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: pjproject/pjsip
Affects Versions: 16.12.0, 16.10.0
Environment: Debian Unstable (sid)
Reporter: Bernhard Schmidt
Severity: Critical
Originally reported to Debian in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966636 .
After upgrading from Asterisk 16.2.1 to Asterisk 16.10.0 the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration (method= not set or set to "default")
{noformat}
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
priv_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
;cipher=ADH-AES256-SHA,ADH-AES128-SHA
;method=tlsv1
{noformat}
{noformat}
[Jul 31 21:48:23] WARNING[4288] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <337678594> <SSL routines-tls_early_post_process_client_hello-unsupported protocol> len: 0 peer: 127.0.0.1:49478 }}}
{noformat}
Workaround is setting
{noformat}
method=tlsv1_2
{noformat}
which appears to accept both TLSv1.2 and TLSv1.3 connections.
I have quickly spun up a test package with Asterisk 16.12.0 which shows the same symptoms
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list