[asterisk-bugs] [JIRA] (ASTERISK-27031) res_pjsip: Unable to configure TLSv1.2 on TLS transport
Alexander Traud (JIRA)
noreply at issues.asterisk.org
Tue Oct 27 12:05:16 CDT 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-27031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252582#comment-252582 ]
Alexander Traud commented on ASTERISK-27031:
--------------------------------------------
[~tzafrir], I do not think the actual request was fixed. The reporter [~delvar] was looking for a way to raise the _minimum_ version from the system provided default {{method=sslv23}} to TLS 1.2 and newer. Now three years later with TLS 1.3, the issue reappeared in ASTERISK-29017…
> res_pjsip: Unable to configure TLSv1.2 on TLS transport
> -------------------------------------------------------
>
> Key: ASTERISK-27031
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27031
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_pjsip
> Affects Versions: 13.16.0
> Environment: Centos 7
> Reporter: delvar
>
> When setting up a transport i am unable to enforce TLS1.2, only TLS1.0.
> h3. My pjsip.conf
> {noformat}
> [transport-tls]
> type=transport
> protocol=tls
> bind=0.0.0.0:5061
> cert_file=/etc/asterisk/keys/cert.pem
> priv_key_file=/etc/asterisk/keys/privkey.pem
> method=tlsv1
> {noformat}
> h3. When testing tls1.2 with OpenSSL
> {noformat}
> openssl s_client -tls1_2 -host gw03.dev -port 5061
> CONNECTED(00000003)
> 140260503979936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
> {noformat}
> When testing with OpenSSL and not using the -tls1_2 option it works as expected and the TLS handshake completes. (not shown here)
> h3. Asterisk Code
> https://github.com/asterisk/asterisk/blob/13.16/res/res_pjsip/config_transport.c we see the list of allowed values and the mapped PJSIP Methods on line 885+
> {noformat}
> if (ast_strlen_zero(var->value) || !strcasecmp(var->value, "default")) {
> state->tls.method = PJSIP_SSL_DEFAULT_METHOD;
> } else if (!strcasecmp(var->value, "unspecified")) {
> state->tls.method = PJSIP_SSL_UNSPECIFIED_METHOD;
> } else if (!strcasecmp(var->value, "tlsv1")) {
> state->tls.method = PJSIP_TLSV1_METHOD;
> } else if (!strcasecmp(var->value, "sslv2")) {
> state->tls.method = PJSIP_SSLV2_METHOD;
> } else if (!strcasecmp(var->value, "sslv3")) {
> state->tls.method = PJSIP_SSLV3_METHOD;
> } else if (!strcasecmp(var->value, "sslv23")) {
> state->tls.method = PJSIP_SSLV23_METHOD;
> } else {
> return -1;
> }
> {noformat}
> As you can see there is no mapping for PJSIP_TLSV1_2_METHOD,
>
> h3. PJSIP Code
> http://svn.pjsip.org/repos/pjproject/trunk/pjsip/src/pjsip/sip_transport_tls.c
> {noformat}
> switch(ssl_method) {
> case PJSIP_SSLV2_METHOD:
> out_proto = PJ_SSL_SOCK_PROTO_SSL2;
> break;
> case PJSIP_SSLV3_METHOD:
> out_proto = PJ_SSL_SOCK_PROTO_SSL3;
> break;
> case PJSIP_TLSV1_METHOD:
> out_proto = PJ_SSL_SOCK_PROTO_TLS1;
> break;
> case PJSIP_TLSV1_1_METHOD:
> out_proto = PJ_SSL_SOCK_PROTO_TLS1_1;
> break;
> case PJSIP_TLSV1_2_METHOD:
> out_proto = PJ_SSL_SOCK_PROTO_TLS1_2;
> break;
> case PJSIP_SSLV23_METHOD:
> out_proto = PJ_SSL_SOCK_PROTO_SSL23;
> break;
> default:
> out_proto = PJ_SSL_SOCK_PROTO_DEFAULT;
> break;
> }
> {noformat}
> h3. Critical
> This is critical as TLS 1 and 1.1 are vulnerable to a range of exploits and should not be used.
> https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list