Settings > Asterisk SIP Settings > SIP Settings [chan_pjsip] > TLS/SSL/SRTP Settings > SSL Method
This setting is too strict. If I set it to tlsv1_1 then it will not be reachable on any more secure protocol like tlsv1_2 or tlsv1_3.
I think it should be the minimum method.
BTW the default method is tlsv1 and I think it is no longer supported.
BTW2: this change needs asterisk restart but the gui does not notify to it.
SSL handshake has read 7 bytes and written 248 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
root@freepbx:~# openssl s_client -connect pbx.xxxx.xx:5061 -tls1_2 | head
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.xxxx.xx
verify return:1
CONNECTED(00000003)
Certificate chain
0 s:CN = *.xxxx.xx
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 12 00:00:00 2023 GMT; NotAfter: Nov 10 23:59:59 2024 GMT
...
FreePBX Version
FreePBX 17
Issue Description
Settings > Asterisk SIP Settings > SIP Settings [chan_pjsip] > TLS/SSL/SRTP Settings > SSL Method This setting is too strict. If I set it to tlsv1_1 then it will not be reachable on any more secure protocol like tlsv1_2 or tlsv1_3. I think it should be the minimum method.
BTW the default method is tlsv1 and I think it is no longer supported. BTW2: this change needs asterisk restart but the gui does not notify to it.
freepbx*CLI> pjsip show transport 0.0.0.0-tls
Transport:
Transport: 0.0.0.0-tls tls 3 96 0.0.0.0:5061
ParameterName : ParameterValue
allow_reload : false allow_wildcard_certs : No async_operations : 1 bind : 0.0.0.0:5061 ca_list_file : /etc/ssl/certs/ca-certificates.crt ca_list_path : cert_file : /etc/asterisk/keys/pbx-fullchain.crt cipher : cos : 3 domain : external_media_address : external_signaling_address : external_signaling_port : 0 local_net : method : tlsv1 password : priv_key_file : /etc/asterisk/keys/pbx.key protocol : tls require_client_cert : No symmetric_transport : false tcp_keepalive_enable : true tcp_keepalive_idle_time : 30 tcp_keepalive_interval_time : 1 tcp_keepalive_probe_count : 5 tos : 96 verify_client : No verify_server : No websocket_write_timeout : 100
freepbx*CLI> Disconnected from Asterisk server Asterisk cleanly ending (0). Executing last minute cleanups root@freepbx:~# openssl s_client -connect pbx.xxxx.xx:5061 -tls1 CONNECTED(00000003) 809B2897FA7F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1605:SSL alert number 70
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 127 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1728020547 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no
Expectation: Value | Accepted connections tlsv1_1 | tlsv1_1, tlsv1_2, tlsv1_3, + tlsv1_2 | tlsv1_2, tlsv1_3, + tlsv1_3 | tlsv1_3, +
But now if I set it to tlsv1_2 then 1_3 is not accepted.
freepbx*CLI> pjsip show transport 0.0.0.0-tls
Transport:
Transport: 0.0.0.0-tls tls 3 96 0.0.0.0:5061
ParameterName : ParameterValue
allow_reload : false allow_wildcard_certs : No async_operations : 1 bind : 0.0.0.0:5061 ca_list_file : /etc/ssl/certs/ca-certificates.crt ca_list_path : cert_file : /etc/asterisk/keys/pbx-fullchain.crt cipher : cos : 3 domain : external_media_address : external_signaling_address : external_signaling_port : 0 local_net : method : tlsv1_2 password : priv_key_file : /etc/asterisk/keys/pbx.key protocol : tls require_client_cert : No symmetric_transport : false tcp_keepalive_enable : true tcp_keepalive_idle_time : 30 tcp_keepalive_interval_time : 1 tcp_keepalive_probe_count : 5 tos : 96 verify_client : No verify_server : No websocket_write_timeout : 100
root@freepbx:~# openssl s_client -connect pbx.xxxx.xx:5061 -tls1_3 CONNECTED(00000003) 80CB5F3EC27F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1605:SSL alert number 70
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 248 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
root@freepbx:~# openssl s_client -connect pbx.xxxx.xx:5061 -tls1_2 | head depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = *.xxxx.xx verify return:1 CONNECTED(00000003)
Certificate chain 0 s:CN = *.xxxx.xx i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 12 00:00:00 2023 GMT; NotAfter: Nov 10 23:59:59 2024 GMT ...
Operating Environment
FreePBX Framework 17.0.19.13 Asterisk 21.4.3-1.sng12 sipsettings 17.0.6.9 openssl 3.0.14-1~deb12u2 OS: Debian 12.7
Relevant log output