[asterisk-bugs] [JIRA] (ASTERISK-27031) res_pjsip: Unable to configure TLSv1.2 on TLS transport

Alexander Traud (JIRA) noreply at issues.asterisk.org
Tue Oct 27 12:05:16 CDT 2020


    [ https://issues.asterisk.org/jira/browse/ASTERISK-27031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252582#comment-252582 ] 

Alexander Traud commented on ASTERISK-27031:
--------------------------------------------

[~tzafrir], I do not think the actual request was fixed. The reporter [~delvar] was looking for a way to raise the _minimum_ version from the system provided default {{method=sslv23}} to TLS 1.2 and newer. Now three years later with TLS 1.3, the issue reappeared in ASTERISK-29017…

> res_pjsip: Unable to configure TLSv1.2 on TLS transport
> -------------------------------------------------------
>
>                 Key: ASTERISK-27031
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27031
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: 13.16.0
>         Environment: Centos 7
>            Reporter: delvar
>
> When setting up a transport i am unable to enforce TLS1.2, only TLS1.0.
> h3. My pjsip.conf
> {noformat}
> [transport-tls]
> type=transport
> protocol=tls
> bind=0.0.0.0:5061
> cert_file=/etc/asterisk/keys/cert.pem
> priv_key_file=/etc/asterisk/keys/privkey.pem
> method=tlsv1
> {noformat}
> h3. When testing tls1.2 with OpenSSL 
> {noformat}
> openssl s_client -tls1_2 -host gw03.dev -port 5061
> CONNECTED(00000003)
> 140260503979936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
> {noformat}
> When testing with OpenSSL and not using the -tls1_2 option it works as expected and the TLS handshake completes. (not shown here)
> h3. Asterisk Code
> https://github.com/asterisk/asterisk/blob/13.16/res/res_pjsip/config_transport.c we see the list of allowed values and the mapped PJSIP Methods on line 885+
> {noformat}
> 	if (ast_strlen_zero(var->value) || !strcasecmp(var->value, "default")) {
> 		state->tls.method = PJSIP_SSL_DEFAULT_METHOD;
> 	} else if (!strcasecmp(var->value, "unspecified")) {
> 		state->tls.method = PJSIP_SSL_UNSPECIFIED_METHOD;
> 	} else if (!strcasecmp(var->value, "tlsv1")) {
> 		state->tls.method = PJSIP_TLSV1_METHOD;
> 	} else if (!strcasecmp(var->value, "sslv2")) {
> 		state->tls.method = PJSIP_SSLV2_METHOD;
> 	} else if (!strcasecmp(var->value, "sslv3")) {
> 		state->tls.method = PJSIP_SSLV3_METHOD;
> 	} else if (!strcasecmp(var->value, "sslv23")) {
> 		state->tls.method = PJSIP_SSLV23_METHOD;
> 	} else {
> 		return -1;
> 	}
> {noformat}
> As you can see there is no mapping for PJSIP_TLSV1_2_METHOD, 
>  
> h3. PJSIP Code
> http://svn.pjsip.org/repos/pjproject/trunk/pjsip/src/pjsip/sip_transport_tls.c
> {noformat}
>    switch(ssl_method) {
>     case PJSIP_SSLV2_METHOD:
> 	out_proto = PJ_SSL_SOCK_PROTO_SSL2;
> 	break;
>     case PJSIP_SSLV3_METHOD:
> 	out_proto = PJ_SSL_SOCK_PROTO_SSL3;
> 	break;
>     case PJSIP_TLSV1_METHOD:
> 	out_proto = PJ_SSL_SOCK_PROTO_TLS1;
> 	break;
>     case PJSIP_TLSV1_1_METHOD:
> 	out_proto = PJ_SSL_SOCK_PROTO_TLS1_1;
> 	break;
>     case PJSIP_TLSV1_2_METHOD:
> 	out_proto = PJ_SSL_SOCK_PROTO_TLS1_2;
> 	break;
>     case PJSIP_SSLV23_METHOD:
> 	out_proto = PJ_SSL_SOCK_PROTO_SSL23;
> 	break;
>     default:
> 	out_proto = PJ_SSL_SOCK_PROTO_DEFAULT;
> 	break;
>     }   
> {noformat}
> h3. Critical
> This is critical as TLS 1 and 1.1 are vulnerable to a range of exploits and should not be used.
> https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list