[Asterisk-code-review] sip.conf: tlsclientmethod is using sslv23 as default. (asterisk[14])

Anonymous Coward asteriskteam at digium.com
Fri Aug 19 14:20:36 CDT 2016


Anonymous Coward #1000019 has submitted this change and it was merged.

Change subject: sip.conf: tlsclientmethod is using sslv23 as default.
......................................................................


sip.conf: tlsclientmethod is using sslv23 as default.

When 'tlsclientmethod' is not specified in sip.conf, chan_sip uses the OpenSSL
SSLv23_method. This was documented incorrectly in the file sip.conf.sample.

SSLv23_method got its name in the 90s. Today, with OpenSSL 1.0.2, this method
enables (just) the secure TLSv1.0 and TLSv1.2. Or stated differently, that
function should have been called 'secure_method' or 'automatic_method' back in
the 90s.

Consequently please, specify 'tlsclientmethod=tlsv1' in your sip.conf only if
you face a server which has problems like not falling back to TLSv1.0
automatically.

ASTERISK-24425

Change-Id: I502ce6146b4504cadfd3973af8d6ec3994f54fa3
---
M configs/samples/sip.conf.sample
1 file changed, 10 insertions(+), 1 deletion(-)

Approvals:
  George Joseph: Looks good to me, but someone else must approve
  Joshua Colp: Looks good to me, approved; Verified



diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample
index a7b74df..da176b4 100644
--- a/configs/samples/sip.conf.sample
+++ b/configs/samples/sip.conf.sample
@@ -611,7 +611,16 @@
 ;
 ;tlsclientmethod=tlsv1     ; values include tlsv1, sslv3, sslv2.
                            ; Specify protocol for outbound client connections.
-                           ; If left unspecified, the default is sslv2.
+                           ; If left unspecified, the default is the general-
+                           ; purpose version-flexible SSL/TLS method (sslv23).
+                           ; With that, the actual protocol version used will
+                           ; be negotiated to the highest version mutually
+                           ; supported by Asterisk and the remote server, i.e.
+                           ; TLSv1.2. The supported protocols are listed at
+                           ; http://www.openssl.org/docs/ssl/SSL_CTX_new.html
+                           ; SSLv2 and SSLv3 are disabled within Asterisk.
+                           ; Your distribution might have changed that list
+                           ; further.
 ;
 ;--------------------------- SIP timers ----------------------------------------------------
 ; These timers are used primarily in INVITE transactions.

-- 
To view, visit https://gerrit.asterisk.org/3637
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I502ce6146b4504cadfd3973af8d6ec3994f54fa3
Gerrit-PatchSet: 2
Gerrit-Project: asterisk
Gerrit-Branch: 14
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>



More information about the asterisk-code-review mailing list