<div dir="ltr"><div>Hi Alex and Daniel,</div><div><br></div><div>Thanks for that. If we test with -tls1 we get:</div><div><br></div><div><span style="font-family:monospace">Peer signing digest: MD5-SHA1<br>Peer signature type: RSA<br>Server Temp Key: X25519, 253 bits<br>---<br>SSL handshake has read 6063 bytes and written 231 bytes<br>Verification error: certificate has expired<br>---<br>New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>SSL-Session:<br> Protocol : TLSv1<br> Cipher : ECDHE-RSA-AES256-SHA<br> Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3<br> Session-ID-ctx: <br> Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8<br> PSK identity: None<br> PSK identity hint: None<br> SRP username: None<br> TLS session ticket lifetime hint: 7200 (seconds)<br> TLS session ticket:<br> 0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8 @.rV.x&y....)...<br></span></div><div><span style="font-family:monospace">... etc...<br></span></div><div><br></div><div>But with -tls1_1 we get:</div><div><br></div><div><span style="font-family:monospace">CONNECTED(00000005)<br>139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:<br>---<br>no peer certificate available<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 74 bytes and written 133 bytes<br>Verification: OK<br>---<br>New, (NONE), Cipher is (NONE)<br>Secure Renegotiation IS NOT supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>SSL-Session:<br> Protocol : TLSv1.1</span></div><div><div>... etc...<br></div></div><div><br></div><div>So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions?</div><div><br></div><div>Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working?</div><div><br></div><div>Thanks in advance!</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com">miconda@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
for sure you can test if a specific tls version is supported, like:<br>
<br>
openssl s_client -tls1_3 ...<br>
<br>
In Kamailio one can restrict what tls versions to enable/allow via<br>
modparam or tls.cfg, but the support of tls versions is coming from<br>
libssl, so it is a matter of what libssl version is used and the distro<br>
(as I noticed some distros package libssl with older protocols disabled).<br>
<br>
Cheers,<br>
Daniel<br>
<br>
On 12.08.20 04:01, Alex Balashov wrote:<br>
> Hi,<br>
><br>
> Are you looking for a way that does not require access to the Kamailio<br>
> config?<br>
><br>
> If so, does `openssl s_client $HOST:5061` not show this, e.g. with<br>
> verbosity?<br>
><br>
><br>
> On 8/11/20 9:44 PM, David Cunningham wrote:<br>
>> Hello,<br>
>><br>
>> Does anyone know of a method to check what TLS versions are available<br>
>> from Kamailio for clients to use? For example, is TLS 1.0 available,<br>
>> TLS 1.1, etc.<br>
>><br>
>> Thanks in advance,<br>
>><br>
>> -- <br>
>> David Cunningham, Voisonics Limited<br>
>> <a href="http://voisonics.com/" rel="noreferrer" target="_blank">http://voisonics.com/</a><br>
>> USA: +1 213 221 1092<br>
>> New Zealand: +64 (0)28 2558 3782<br>
>><br>
>> _______________________________________________<br>
>> Kamailio (SER) - Users Mailing List<br>
>> <a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
>> <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
>><br>
><br>
> -- <br>
> Alex Balashov | Principal | Evariste Systems LLC<br>
><br>
> Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)<br>
> Web: <a href="http://www.evaristesys.com/" rel="noreferrer" target="_blank">http://www.evaristesys.com/</a>, <a href="http://www.csrpswitch.com/" rel="noreferrer" target="_blank">http://www.csrpswitch.com/</a><br>
><br>
> _______________________________________________<br>
> Kamailio (SER) - Users Mailing List<br>
> <a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
> <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br>
-- <br>
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" rel="noreferrer" target="_blank">www.asipto.com</a><br>
<a href="http://www.twitter.com/miconda" rel="noreferrer" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" rel="noreferrer" target="_blank">www.linkedin.com/in/miconda</a><br>
Funding: <a href="https://www.paypal.me/dcmierla" rel="noreferrer" target="_blank">https://www.paypal.me/dcmierla</a><br>
<br>
<br>
_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>David Cunningham, Voisonics Limited<br><a href="http://voisonics.com/" target="_blank">http://voisonics.com/</a><br>USA: +1 213 221 1092<br>New Zealand: +64 (0)28 2558 3782</div></div></div></div></div></div></div></div></div></div></div>