[sr-dev] about tls_method

Sun Oct 3 22:53:21 CEST 2010

Juha,

On Sun, Oct 3, 2010 at 1:06 PM, Juha Heinanen <jh at tutpro.com> wrote:
> i tried to register sip-communication over tls, but sr complained about
> wrong tls version:
>
> Oct  3 19:29:58 sip /usr/sbin/sip-proxy[31340]: ERROR: tls [tls_server.c:1174]: tls_read_f(): TLS accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
> rfc3261 refers to
>
> T. Dierks and C. Allen, “The TLS protocol version 1.0,” RFC 2246,
> Internet Engineering Task Force, Jan. 1999.
>
> which is 11 years old and also to
>
> P. Chown, “Advanced encryption standard (AES) ciphersuites for transport
> layer security (TLS),” RFC 3268, Internet Engineering Task Force, June
> 2002.
>
> which is 8 years old.  also there is statement
>
> The TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite [26] MUST be supported at a
> minimum by implementers when TLS is used in a SIP application. For
> purposes of backwards compatibility, proxy servers,
> redirect servers, and registrars SHOULD support
> TLS_RSA_WITH_3DES_EDE_CBC_SHA. Implementers MAY also support any other
> ciphersuite.
>
> how is it possible that sip-communicator that is much newer than those
> rfcs, does not support them, but proposes in its client hello SSLv2?

If sip-communicator uses openssl then it should also support SSLv23
and TLSv1. It maybe be configured to use the SSLv23 mode by default
which should theoretically provide the best compatibility with other
implementations because it supports all other protocols (TLSv1, SSLv3,
SSLv2).

In SSLv23 the client is supposed to send the initial hello in SSLv2
for compatibility reasons.

If you configured your server to use TLSv1 then it will accept TLSv1
hellos only and the SSLv2 hello won't be accepted.

Note that although TLSv1 is required by RFC3261, in practise I have
seen most implementations using SSLv23 by default.

> nowhere in rf3261 was i able to find any references to these:
>
>     * SSLv3 - only SSLv3 connections are accepted
>     * SSLv2 - only SSLv2 connections, for old clients. Note: you
>       shouldn't use SSLv2 for anything which should be highly secure.
>
> how is it possible that they would be ever needed?  why don't we have
> these kind of problems when accessing web sites?  has rfc3261 somehow
> got it wrong or what?

For clients that use OpenSSL these are rarely needed. There are,
however, clients that do not use OpenSSL for crypto (mostly due to
licensing reasons) and for such clients you might need these options
if they do not support TLSv1.

We don't experience these problems with websites becuase they are
mostly using SSLv23 by default (as far as I can tell) and all the
browsers use OpenSSL for crypto.

> also, it was not clear from tls/README that if i set
>
>      modparam("tls", "tls_method", "SSLv23")
>
> will it mean that TLSv1 connections (as required by rfc3261) are not
> accepted if UA only support TLSv1 and proposes in client hello?

Yes. But if the client is configured to use SSLv23, they could
exchange the initial hellos in SSLv2 and then upgrade to TLSv1.

Although RFC3261 requires TLSv1, it is not clear to me whether they
mean that TLSv1 connections should be used from start or if upgrading
to TLSv1 after the initial hello in SSLv2 is also considered
compliant.

-Jan