For chan_pjsip, please, use
method=sslv23
For an explanation, please, see my comment in the conversion script itself.
Mhm. Actually, I was about chan_sip which was the cause for this confusion here. For chan_sip, that Wiki page shows tlsclientmethod=tlsv1. That disables not only SSL 3 but TLS 1.2, too. In chan_sip, the solution is: Do not specify tlsclientmethod at all, then a ‘good’ default is used. It gets the default of the platform, the platform OpenSSL configuration. Without tlsclientmethod, then, the conversion script creates a ‘good’ default for chan_pjsip: method=sslv23.
In chan_pjsip, the default value of method is empty which disables all TLS versions. Just because of a side-effect, on a OpenSSL 1.1 based system, this disables all TLS versions except TLS 1.3 because TLS 1.3 cannot be disabled the way the PJProject does it right now.
And there is another issue: On a recent Debian based system like Debian 10 (Buster) or Ubuntu 20.04 LTS, the default OpenSSL Security Level is 2 (see page 4 table i). Previous Debian/Ubuntu versions lowered the level from 2 to zero but not anymore. Additionally, Debian (via the patch Set-systemwide-default-settings-for-libssl-users.patch) and Canonical (via the patch tls1.2-min-seclevel2.patch) require TLS 1.2 in Security Level 2 already. Consequently, on recent Debian based systems, not only SSL 3 but also TLS 1.0 and TLS 1.1 are disabled on default.
That has three implications for Ubuntu 20.04 LTS:
- If chan_sip had
tlsclientmethod=tlsv1and this is converted tomethod=tlsv1, chan_pjsip uses only TLS 1.3, making it incompatible with near to every phone and service on this earth. - In chan_sip, the administrator was able to repair this by using
tlscipher=DEFAULT@SECLEVEL=1for example. In chan_pjsip, this is not possible because the PJProject converts the cipher string internally. The PJProject does not know about SECLEVEL and rejects a cipher string with a SECLEVEL appended. - Instead, to re-enable TLS 1.0 which is still the maximum of many phones and services out there, the user has to change the system-wide configuration of OpenSSL.
No standard user of Digium Asterisk is going to understand all this. Joshua, can we discuss this via a different communication channel, preferable via phone, what to do, what can be done, and how to improve the user experience in this regard? Otherwise this will not only be an endless compatibility issue for users but also creates security related configuration errors.
Therefore, when it comes to that Wiki page, for chan_pjsip method=sslv23 and for chan_sip not specifying tlsclientmethod at all, that is my recommendation. Furthermore, tlscipher=ALL for chan_sip has to go for sure; the default is then used which is tlscipher=DEFAULT.