Debian 11 is forcing TLSv1.3 even when method=tls1_2

I just set up an Asterisk/FreePBX server (FreePBX 16, with Asterisk 16.16.1 from the Debian repository) in a home office. I’ve set up Asterisk on order Debian and Ubuntu releases, but this is the first one I’ve stood up on on Debian 11 Bullseye.

I configured a chan_pjsip TLS transport

[tls]                                                                                                                                
type=transport                                                                                                                               
protocol=tls                                                                                                                                                                                                                                 
ca_list_file=/etc/ssl/certs/ca-certificates.crt                                                                                              
cert_file=/etc/asterisk/keys/pbx.crt                                                                                                 
priv_key_file=/etc/asterisk/keys/pbx.key                                                                                             
method=tlsv1_2
verify_client=no                                                                                                                             
verify_server=yes

However, I couldn’t get MicroSIP (or any other softphone I tried) to connect over TLS.

From a Wireshark packet capture, I observed that the client was attempting to use TLSv1.2, but the server did not accept that protocol version.

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Protocol Version)

image

I checked the TLS connection using the openssl client, and discovered that the server was using TLSv1.3, even though the transport configuration was explicitly set to tls1_2.

$ openssl s_client -connect pbx.example.net:5061
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

That makes me think something in the OS is forcing TLSv1.3, even when the Asterisk configuration is configured to use TLSv1.2 to support softphones and old Polycom phones. Does anyone know how to fix this? Ideally I’d like to support TLVv1.2 and TLSv1.3, put I don’t think that’s possible in Asterisk?

Here are two options:

  1. Setup OpenSSL to use a lower security level in /etc/ssl/openssl.cnf
  2. Use PJproject 2.11 or newer and pass the desired OpenSSL security level from Asterisk

How would I do that?

With native Asterisk download and compile. Maybe more difficult with Freepbx?

Ah, I could do that. FreePBX doesn’t care how Asterisk is installed. For my needs though, I think I’ll stick with lowering the default OpenSSL value.

Thanks!

PJproject 2.12 will probably be bundled with the next set of Asterisk releases. They are adding it to the Git-master right now.

@cable Actually, I just checked, and TLSv1.2 is already the default. Weird

[ssl_sect]                                                                                                                                   
system_default = system_default_sect                                                                                                         
                                                                                                                                             
[system_default_sect]                                                                                                                        
MinProtocol = TLSv1.2                                                                                                                        
CipherString = DEFAULT@SECLEVEL=2

Change it to ‘SECLEVEL=1’

That did it. Thank you!

Also, I just discovered that it still uses TLSv1.3 for clients that support it. Neat!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.