[Serusers] TLS comments
Jan Janak
jan at iptel.org
Wed Feb 1 14:43:36 CET 2006
Cesc wrote:
> On 2/1/06, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>> Hi!
>>
>> I've tried the new TLS module:
>>
>> 1. It breaks compatibility with old TLS stack: Even when configured to
>> use TLSv1, it sends an SSLv2 compatible HELLO:
>>
>> server2:~# ssldump
>> New TCP connection #1: 10.10.0.41(33107) <-> 10.10.0.42(5063)
>> 1 1 0.0088 (0.0088) C>S SSLv2 compatible client hello
>> Version 3.1
>>
>>
>> I do not know if this is a problem with the new or the old stack.
>> Further I do not know what other TLS enabled SIP products use. Do they
>> accept SSL compatible HELLOs?
>>
> Klaus, i don't think this is a bug ... i think that the hello is
> always v2 and then (with the server hello message) the handshake is
> upgraded to v3 or tlsv1. This way, you can have an sslv2-only client
> try connecting to any server, but the server will send back sslv3 or
> tlsv1 server hello, thus disconnecting the client.
Yes, I think this is correct. The protocol version should be set to
TLSv1 afterwards, you can test this with @tls.version:
if (@tls.version == "SSLv2") {
sl_send_reply("400", "Bad TLS protocol version");
break;
}
Jan.
More information about the sr-users
mailing list