How to force Asterisk 13.19.1 to use TLS1.2 on Centos 6

Hello,

With the new Google Chrome update, removing support for TLS1.0 and TLS1.1, we have had an issue come up concerning our WebRTC which uses the jsSIP client.

The error in asterisk:

[2020-11-18 07:12:34] ERROR[11487][C-00017194]: res_rtp_asterisk.c:2545 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f91884ebd00' due to reason 'tlsv1 alert protocol version', terminating
[2020-11-18 07:12:34] WARNING[11487][C-00017194]: res_rtp_asterisk.c:5300 ast_rtp_read: RTP Read error: Unspecified.  Hanging up.

Our systems are build on Centos 6.6 and we use openssl 1.0.1e-fips - which supports TLS1.2. The Asterisk version we are using is: 13.19.1
We have ran SIP packet traces and can confirm the type was: DTLS1.0 coming from the Asterisk server

Any ideas on how to fix this issue?

Kind Regards,
Joe

We have been using WebRTC with PjSip for a while now and it works fine with
Asterisk 16 and 18.

Maybe updating your Asterisk version would be an idea if it is possible?

Thanks for the reply, One thing that I forgot to mention is that we use chan_sip for our sip stack. Moving to PJSip was more of a last resort. We have TLS1.2 working perfectly fine on Centos 7 servers with the same version/files/configuration which shows me that chan_sip does support TLS1.2. So Im confused at what would break this on Centos 6 servers.

In your transport config add:
method=tlsv1_2

Like I mentioned before this is for PJSip and we use chan_sip at the moment. We are not looking to migrate currently.

This is referring to the DTLS version, not the TLS version used for transport. DTLS 1.2 was added into OpenSSL 1.0.2. Latest Chrome requires use of DTLS 1.2.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.