TLS 1.0 in Asterisk

I’ve been having some issues with TLS 1.0 on my Asterisk 18.2 system and I’ve been collaborating with another Asterisk user to try to figure out the issue. The end goal is to get all my ATAs, many of which are out of support, to use TLS/SRTP.

This other person had it working on his Asterisk 16 system but it stopped working for him as well when he upgraded to Asterisk 18. I checked the release notes and I see no mention of TLS 1.0 in the 16, 17, or 18 release notes. Was TLS 1.0 support intentionally removed from the latest version?

I don’t like TLS 1.0 personally, but IMO some security is better than none, and right now my ATAs are failing to negotiate and can’t do anything newer than TLS 1.0, so if it was removed, would there be an issue in forward porting chan_sip.c from v16 to v18?

Support wasn’t removed from Asterisk itself. The most that happened in regards to it was the changing of some defaults to be more secure. I believe some distros and OpenSSL builds have been disabling certain older support, though, and since ultimately that is what is used to provide such functionality in Asterisk it would naturally impact Asterisk.

OK, thanks, good to know. I feel like something else may have changed which may impacts it (like disabling certain ciphers - this happened to me with Apache where by disabling ciphers, TLS 1.0 stopped working even though not explicitly disabled). My Apache accepts 1.0 but Asterisk does not and testing with the openssl-client fails to negotiate < 1.2.

Are you able to elaborate on what these “more secure defaults” are? I’d like to see if I can get it to work by tweaking those. Right now, I’m not sure what else to look at if it’s not something in sip.conf.

Thanks!

The sip.conf file is what configures the TLS transport. The tlscipher option and tlsclientmethod option control them. Looking back what I was thinking of refers to the HTTP server[1].

[1] https://downloads.asterisk.org/pub/security/AST-2016-001.pdf

Currently, this is what I have:

tlscipher=ALL
;tlsclientmethod=tlsv1

I can’t think how to make it any more lenient / less restrictive than that.

I had the latter uncommented before with the belief that this would explicitly force TLS 1.0, and I uncommented it to test further when it was not working, but neither make it work.

When I try registering things (or other people try), I just see stuff like this in the console:
[2021-02-12 09:31:07] ERROR[15892]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[2021-02-12 09:31:07] ERROR[15892]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer ’
[2021-02-12 09:31:07] ERROR[15892]: iostream.c:552 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[2021-02-12 09:31:29] ERROR[15895]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[2021-02-12 09:31:29] ERROR[15895]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer ’

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.