[SR-Users] How to check TLS versions available
David Cunningham
dcunningham at voisonics.com
Thu Aug 13 03:25:02 CEST 2020
Hi Alex and Daniel,
Thanks for that. If we test with -tls1 we get:
Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6063 bytes and written 231 bytes
Verification error: certificate has expired
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3
Session-ID-ctx:
Master-Key:
D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8
@.rV.x&y....)...
... etc...
But with -tls1_1 we get:
CONNECTED(00000005)
139645110682048:error:1425F102:SSL
routines:ssl_choose_client_version:unsupported
protocol:../ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 74 bytes and written 133 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
... etc...
So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have
"method = TLSv1", but my understanding is that this is the minimum and
doesn't prevent using higher versions?
Given that we have the Ubuntu packages for libssl1.1 (version
1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04)
installed, does anyone know what else we need to get TLS 1.1 working?
Thanks in advance!
On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <miconda at gmail.com>
wrote:
> Hello,
>
> for sure you can test if a specific tls version is supported, like:
>
> openssl s_client -tls1_3 ...
>
> In Kamailio one can restrict what tls versions to enable/allow via
> modparam or tls.cfg, but the support of tls versions is coming from
> libssl, so it is a matter of what libssl version is used and the distro
> (as I noticed some distros package libssl with older protocols disabled).
>
> Cheers,
> Daniel
>
> On 12.08.20 04:01, Alex Balashov wrote:
> > Hi,
> >
> > Are you looking for a way that does not require access to the Kamailio
> > config?
> >
> > If so, does `openssl s_client $HOST:5061` not show this, e.g. with
> > verbosity?
> >
> >
> > On 8/11/20 9:44 PM, David Cunningham wrote:
> >> Hello,
> >>
> >> Does anyone know of a method to check what TLS versions are available
> >> from Kamailio for clients to use? For example, is TLS 1.0 available,
> >> TLS 1.1, etc.
> >>
> >> Thanks in advance,
> >>
> >> --
> >> David Cunningham, Voisonics Limited
> >> http://voisonics.com/
> >> USA: +1 213 221 1092
> >> New Zealand: +64 (0)28 2558 3782
> >>
> >> _______________________________________________
> >> Kamailio (SER) - Users Mailing List
> >> sr-users at lists.kamailio.org
> >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> >>
> >
> > --
> > Alex Balashov | Principal | Evariste Systems LLC
> >
> > Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
> > Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
> >
> > _______________________________________________
> > Kamailio (SER) - Users Mailing List
> > sr-users at lists.kamailio.org
> > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Daniel-Constantin Mierla -- www.asipto.com
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Funding: https://www.paypal.me/dcmierla
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
New Zealand: +64 (0)28 2558 3782
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200813/d2cc439e/attachment.htm>
More information about the sr-users
mailing list