search

asterisk / asterisk-feature-requests

A place to submit feature and improvement requests for the Asterisk project. Contains no code.
2 stars 1 forks source link

Improve PJSIP TLS transport / configuration handling #6

Open CRCinAU opened 1 year ago

CRCinAU commented 1 year ago

Currently, when configuring Asterisk + PJSIP for a TLS transport, there is only the ability to set ONE TLS level. These options are like:

It is not possible to set multiple TLS levels like most server software allows, and allow the client to negotiate to the highest supported TLS level.

As such, an expected valid, but non-available configuration would be: method = tlsv1_1, tlsv1_2

This would allow the transport to support both TLSv1.1 and TLSv1.2 protocols.

The Mozilla SSL Configuration Generator is a good example on how the majority of popular server software is configured for different cipher + TLS levels, such as:

Asterisk support for setting the TLS protocol levels seems to be handled here: https://github.com/asterisk/asterisk/blob/master/res/res_pjsip/config_transport.c#L1209

As this is an entire if / else if block, it does not seem to be able to process multiple configuration items for a TLS transport.

As a best practice however, it should probably be prudent to remove SSLv2 and SSLv3 support completely. They are utterly broken and should not be used for any purpose these days.

Further to this topic, the Asterisk documentation still uses examples to enable / use sslv23 for the example TLS configurations: https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

This is horribly wrong, but should be updated to reflect: a) An improved TLS handling within Asterisk / PJSIP interface; and b) Document the new implementation of TLS handling; and c) Provide an example of at least a 'best-practice' compliant settings; and d) As PJSIP is compiled against OpenSSL v3, then TLSv1.3 should also be implemented and be available

CRCinAU commented 1 year ago

There is also a followup on this where there is a requirement to load a trusted bundle of root certs for validation of outgoing TLS connections to TLS enabled SIP servers.

The only way I've found to do this is to add something like ca_list_file=/etc/pki/tls/cert.pem to the pjsip.conf file. This allows certificates to be validated, however, it also adds them all to the TLS CA List for Client Auth - which is obviously incorrect behaviour.

As such, there probably needs to be a way to supply a cert bundle of trusted roots to be able to validate TLS certificates on outbound connections / registrations.

InterLinked1 commented 1 year ago

Currently, when configuring Asterisk + PJSIP for a TLS transport, there is only the ability to set ONE TLS level. These options are like:

  • SSLv2 (method = sslv2)
  • SSLv3 (method = sslv3)
  • SSLv2+SSLv3 (method = sslv23)
  • TLSv1 (method = tlsv1)
  • TLSv1.1 (method = tlsv1_1)
  • TLSv1.2 (method = tlsv1_2)

It is not possible to set multiple TLS levels like most server software allows, and allow the client to negotiate to the highest supported TLS level.

You may already know this, but what you can do is configure multiple transports, each with a different TLS protocol level.

For example, I use one TLS port for TLS 1.0, to support older devices, and one for TLS 1.2, for devices that can support it. Unlike chan_sip, it's perfectly fine to configure multiple transports with different TLS versions.

CRCinAU commented 1 year ago

I know this can be done - but its a horrible workaround for what is basic TLS configuration.

miken32 commented 4 months ago

I just assumed the value in configuration was the minimum version. As well as removing SSL they should ditch TLS 1.0 as well. It's 25 years old and long superseded.

InterLinked1 commented 4 months ago

I just assumed the value in configuration was the minimum version. As well as removing SSL they should ditch TLS 1.0 as well. It's 25 years old and long superseded.

Many SIP devices don't support anything newer than TLS 1.0, so removing TLS 1.0 support would be very stupid.