I’m running Asterisk 13.17.0 with embedded PJSIP 2.6 and I’m trying to lock down the SIP transport to use only TLSv1.2.
I noticed that there are only four options available in the “method” parameter under the [transport-tls] section which are:
sslv2
sslv3
sslv23
tlsv1
Of all these, the only one that enables TLSv1.2 is sslv23 but this also enables SSLv3, TLSv1.0 and TLSv1.1. Is there a way to disable all other versions and just keep TLSv1.2?
Sorry for waking up this old thread but it is one of the first matches on an Internet search.
This is possible in chan_sip via tlsclientmethod=sslv23 (in chan_sip, the default value) and tlsdisablev1=yes (in chan_sip, SSL 2.0 and SSL 3.0 are disabled on default).
This does not work with chan_pjsip, yet. With chan_pjsip, I see three alternatives:
A) configure/build the whole OpenSSL not to use older versions, or
B) build PJSIP while you define PJ_SSL_SOCK_OSSL_CIPHERS
The latter requires at least OpenSSL 1.1.x and SECLEVEL=3, for example (source). Then, set method=sslv23 and remove any ciphers= in your pjsip.conf, otherwise you remove the level. In the file third-party/pjproject/patches/config_site.h you add:
C) If level 3 is too high in your scenario and changing OpenSSL is no option either, you have to change the source code of Asterisk (currently 13.27.0): Undo Gerrit 2783 and add:
#define PJSIP_SSL_DEFAULT_PROTO 0xFFF8
to your config_site.h. The last three bits are zero to disable SSL 2.0, SSL 3.0, and TLS 1.0. If you use OpenSSL 1.1 or newer, you have to change the source code of the PJSIP (currently 2.8) as well: remove the line ssl_method = (SSL_METHOD*)TLS_method(); in the file ssl_sock_ossl.c.