I just set up an Asterisk/FreePBX server (FreePBX 16, with Asterisk 16.16.1 from the Debian repository) in a home office. I’ve set up Asterisk on order Debian and Ubuntu releases, but this is the first one I’ve stood up on on Debian 11 Bullseye.
I configured a chan_pjsip TLS transport
[tls] type=transport protocol=tls ca_list_file=/etc/ssl/certs/ca-certificates.crt cert_file=/etc/asterisk/keys/pbx.crt priv_key_file=/etc/asterisk/keys/pbx.key method=tlsv1_2 verify_client=no verify_server=yes
However, I couldn’t get MicroSIP (or any other softphone I tried) to connect over TLS.
From a Wireshark packet capture, I observed that the client was attempting to use TLSv1.2, but the server did not accept that protocol version.
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
I checked the TLS connection using the
openssl client, and discovered that the server was using TLSv1.3, even though the transport configuration was explicitly set to
$ openssl s_client -connect pbx.example.net:5061 ... New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
That makes me think something in the OS is forcing TLSv1.3, even when the Asterisk configuration is configured to use TLSv1.2 to support softphones and old Polycom phones. Does anyone know how to fix this? Ideally I’d like to support TLVv1.2 and TLSv1.3, put I don’t think that’s possible in Asterisk?