[asterisk-bugs] [JIRA] (ASTERISK-29017) pjsip: As of 2.9 with newer OpenSSL "tlsv1" method is TLSv1.3 only
Alexander Traud (JIRA)
noreply at issues.asterisk.org
Tue Oct 6 04:10:36 CDT 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-29017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252334#comment-252334 ]
Alexander Traud commented on ASTERISK-29017:
--------------------------------------------
TLS 1.3 is allowed because PJSIP does not know about it and does not disable it.
Bernhard, you are referencing (and mentioning) a bug related to the latest Debian unstable. I tried to explain all this chaos a bit in [this community post|https://community.asterisk.org/t/85091/10]. Does that help? However, the referenced bug-report states even {{method=sslv23}} does not help. Can you confirm, that only {{method=tlsv1_2}} works and {{method=sslv23}} does not work? Then, I have a look at your scenario.
> pjsip: As of 2.9 with newer OpenSSL "tlsv1" method is TLSv1.3 only
> ------------------------------------------------------------------
>
> Key: ASTERISK-29017
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29017
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: pjproject/pjsip
> Affects Versions: 16.10.0, 16.12.0
> Environment: Debian Unstable (sid)
> Reporter: Bernhard Schmidt
>
> Originally reported to Debian in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966636 .
> After upgrading from Asterisk 16.2.1 to Asterisk 16.10.0 the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration (method= not set or set to "default")
> {noformat}
> [transport-tls]
> type=transport
> protocol=tls
> bind=0.0.0.0
> cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> priv_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> ;cipher=ADH-AES256-SHA,ADH-AES128-SHA
> ;method=tlsv1
> {noformat}
> {noformat}
> [Jul 31 21:48:23] WARNING[4288] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <337678594> <SSL routines-tls_early_post_process_client_hello-unsupported protocol> len: 0 peer: 127.0.0.1:49478 }}}
> {noformat}
> Workaround is setting
> {noformat}
> method=tlsv1_2
> {noformat}
> which appears to accept both TLSv1.2 and TLSv1.3 connections.
> I have quickly spun up a test package with Asterisk 16.12.0 which shows the same symptoms
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list