I’m running Asterisk 13.17.0 with embedded PJSIP 2.6 and I’m trying to lock down the SIP transport to use only TLSv1.2.
I noticed that there are only four options available in the “method” parameter under the [transport-tls] section which are:
Of all these, the only one that enables TLSv1.2 is sslv23 but this also enables SSLv3, TLSv1.0 and TLSv1.1. Is there a way to disable all other versions and just keep TLSv1.2?
thanks for that jcolp. Which Asterisk version has this been introduced in?
According to the code review the earliest release was 13.19.0
Great. Thanks for that. It worked like a charm with the latest version.
One last question, do you know if there’s a way to enable two methods? For example, TLSv1.1 and TLSv1.2 but not the others?
I don’t believe there is a way, no.
Sorry for waking up this old thread but it is one of the first matches on an Internet search.
This is possible in chan_sip via
tlsclientmethod=sslv23 (in chan_sip, the default value) and
tlsdisablev1=yes (in chan_sip, SSL 2.0 and SSL 3.0 are disabled on default).
This does not work with chan_pjsip, yet. With chan_pjsip, I see three alternatives:
A) configure/build the whole OpenSSL not to use older versions, or
B) build PJSIP while you define PJ_SSL_SOCK_OSSL_CIPHERS
The latter requires at least OpenSSL 1.1.x and
SECLEVEL=3, for example (source). Then, set
method=sslv23 and remove any
ciphers= in your pjsip.conf, otherwise you remove the level. In the file third-party/pjproject/patches/config_site.h you add:
#define PJ_SSL_SOCK_OSSL_CIPHERS "HIGH:-COMPLEMENTOFDEFAULT@SECLEVEL=3"
Then, make and install your Asterisk again.
C) If level 3 is too high in your scenario and changing OpenSSL is no option either, you have to change the source code of Asterisk (currently 13.27.0): Undo Gerrit 2783 and add:
#define PJSIP_SSL_DEFAULT_PROTO 0xFFF8
to your config_site.h. The last three bits are zero to disable SSL 2.0, SSL 3.0, and TLS 1.0. If you use OpenSSL 1.1 or newer, you have to change the source code of the PJSIP (currently 2.8) as well: remove the line
ssl_method = (SSL_METHOD*)TLS_method(); in the file ssl_sock_ossl.c.