Hi Alex and Daniel,

Thanks for that. If we test with -tls1 we get:

Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6063 bytes and written 231 bytes
Verification error: certificate has expired
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3
    Session-ID-ctx:
    Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8   @.rV.x&y....)...
... etc...

But with -tls1_1 we get:

CONNECTED(00000005)
139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 74 bytes and written 133 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
... etc...

So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions?

Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working?

Thanks in advance!



On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <miconda@gmail.com> wrote:
Hello,

for sure you can test if a specific tls version is supported, like:

openssl s_client -tls1_3 ...

In Kamailio one can restrict what tls versions to enable/allow via
modparam or tls.cfg, but the support of tls versions is coming from
libssl, so it is a matter of what libssl version is used and the distro
(as I noticed some distros package libssl with older protocols disabled).

Cheers,
Daniel

On 12.08.20 04:01, Alex Balashov wrote:
> Hi,
>
> Are you looking for a way that does not require access to the Kamailio
> config?
>
> If so, does `openssl s_client $HOST:5061` not show this, e.g. with
> verbosity?
>
>
> On 8/11/20 9:44 PM, David Cunningham wrote:
>> Hello,
>>
>> Does anyone know of a method to check what TLS versions are available
>> from Kamailio for clients to use? For example, is TLS 1.0 available,
>> TLS 1.1, etc.
>>
>> Thanks in advance,
>>
>> -- 
>> David Cunningham, Voisonics Limited
>> http://voisonics.com/
>> USA: +1 213 221 1092
>> New Zealand: +64 (0)28 2558 3782
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users@lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>
> -- 
> Alex Balashov | Principal | Evariste Systems LLC
>
> Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla


_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
New Zealand: +64 (0)28 2558 3782