Enable TLSv1.2 only in SIP/TLS transport

amiedzow · June 17, 2018, 9:01pm

Hi,

I’m running Asterisk 13.17.0 with embedded PJSIP 2.6 and I’m trying to lock down the SIP transport to use only TLSv1.2.

I noticed that there are only four options available in the “method” parameter under the [transport-tls] section which are:

sslv2
sslv3
sslv23
tlsv1

Of all these, the only one that enables TLSv1.2 is sslv23 but this also enables SSLv3, TLSv1.0 and TLSv1.1. Is there a way to disable all other versions and just keep TLSv1.2?

Thanks

jcolp · June 17, 2018, 9:09pm

13.17.0 predates the ability to do that[1].

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Configuration_res_pjsip#Asterisk13Configuration_res_pjsip-transport_method

amiedzow · June 17, 2018, 9:30pm

thanks for that jcolp. Which Asterisk version has this been introduced in?

jcolp · June 17, 2018, 10:20pm

According to the code review[1] the earliest release was 13.19.0

[1] https://gerrit.asterisk.org/#/c/7525/

amiedzow · June 18, 2018, 2:20am

Great. Thanks for that. It worked like a charm with the latest version.

One last question, do you know if there’s a way to enable two methods? For example, TLSv1.1 and TLSv1.2 but not the others?

jcolp · June 18, 2018, 10:02am

I don’t believe there is a way, no.

traud · May 24, 2019, 9:51am

Sorry for waking up this old thread but it is one of the first matches on an Internet search.

This is possible in chan_sip via tlsclientmethod=sslv23 (in chan_sip, the default value) and tlsdisablev1=yes (in chan_sip, SSL 2.0 and SSL 3.0 are disabled on default).

This does not work with chan_pjsip, yet. With chan_pjsip, I see three alternatives:
A) configure/build the whole OpenSSL not to use older versions, or
B) build PJSIP while you define PJ_SSL_SOCK_OSSL_CIPHERS
The latter requires at least OpenSSL 1.1.x and SECLEVEL=3, for example (source). Then, set method=sslv23 and remove any ciphers= in your pjsip.conf, otherwise you remove the level. In the file third-party/pjproject/patches/config_site.h you add:

#define PJ_SSL_SOCK_OSSL_CIPHERS "HIGH:-COMPLEMENTOFDEFAULT@SECLEVEL=3"

Then, make and install your Asterisk again.

C) If level 3 is too high in your scenario and changing OpenSSL is no option either, you have to change the source code of Asterisk (currently 13.27.0): Undo Gerrit 2783 and add:

#define PJSIP_SSL_DEFAULT_PROTO 0xFFF8

to your config_site.h. The last three bits are zero to disable SSL 2.0, SSL 3.0, and TLS 1.0. If you use OpenSSL 1.1 or newer, you have to change the source code of the PJSIP (currently 2.8) as well: remove the line ssl_method = (SSL_METHOD*)TLS_method(); in the file ssl_sock_ossl.c.