[SR-Users] How to check TLS versions available

David Cunningham dcunningham at voisonics.com
Fri Aug 14 23:48:18 CEST 2020 

Hi Henning, thanks for that. Somehow I misread the docs before.


On Fri, 14 Aug 2020 at 23:17, Henning Westerholt <hw at skalatan.de> wrote:

> Hello,
>
>
>
> try "method = TLSv1+“ in the tls.cfg of Kamailio, as mentioned in the
> module docs.
>
>
>
> Cheers,
>
>
>
> Henning
>
>
>
> --
>
> Henning Westerholt – https://skalatan.de/blog/
>
> Kamailio services – https://gilawa.com
>
>
>
> *From:* sr-users <sr-users-bounces at lists.kamailio.org> *On Behalf Of *David
> Cunningham
> *Sent:* Thursday, August 13, 2020 3:25 AM
> *To:* Daniel-Constantin Mierla <miconda at gmail.com>; Kamailio (SER) -
> Users Mailing List <sr-users at lists.kamailio.org>
> *Subject:* Re: [SR-Users] How to check TLS versions available
>
>
>
> Hi Alex and Daniel,
>
>
>
> Thanks for that. If we test with -tls1 we get:
>
>
>
> Peer signing digest: MD5-SHA1
> Peer signature type: RSA
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 6063 bytes and written 231 bytes
> Verification error: certificate has expired
> ---
> New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : ECDHE-RSA-AES256-SHA
>     Session-ID:
> 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3
>     Session-ID-ctx:
>     Master-Key:
> D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 7200 (seconds)
>     TLS session ticket:
>     0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8
> @.rV.x&y....)...
>
> ... etc...
>
>
>
> But with -tls1_1 we get:
>
>
>
> CONNECTED(00000005)
> 139645110682048:error:1425F102:SSL
> routines:ssl_choose_client_version:unsupported
> protocol:../ssl/statem/statem_lib.c:1907:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 74 bytes and written 133 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.1
>
> ... etc...
>
>
>
> So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have
> "method = TLSv1", but my understanding is that this is the minimum and
> doesn't prevent using higher versions?
>
>
>
> Given that we have the Ubuntu packages for libssl1.1 (version
> 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04)
> installed, does anyone know what else we need to get TLS 1.1 working?
>
>
>
> Thanks in advance!
>
>
>
>
>
>
>
> On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <miconda at gmail.com>
> wrote:
>
> Hello,
>
> for sure you can test if a specific tls version is supported, like:
>
> openssl s_client -tls1_3 ...
>
> In Kamailio one can restrict what tls versions to enable/allow via
> modparam or tls.cfg, but the support of tls versions is coming from
> libssl, so it is a matter of what libssl version is used and the distro
> (as I noticed some distros package libssl with older protocols disabled).
>
> Cheers,
> Daniel
>
> On 12.08.20 04:01, Alex Balashov wrote:
> > Hi,
> >
> > Are you looking for a way that does not require access to the Kamailio
> > config?
> >
> > If so, does `openssl s_client $HOST:5061` not show this, e.g. with
> > verbosity?
> >
> >
> > On 8/11/20 9:44 PM, David Cunningham wrote:
> >> Hello,
> >>
> >> Does anyone know of a method to check what TLS versions are available
> >> from Kamailio for clients to use? For example, is TLS 1.0 available,
> >> TLS 1.1, etc.
> >>
> >> Thanks in advance,
> >>
> >> --
> >> David Cunningham, Voisonics Limited
> >> http://voisonics.com/
> >> USA: +1 213 221 1092
> >> New Zealand: +64 (0)28 2558 3782
> >>
> >> _______________________________________________
> >> Kamailio (SER) - Users Mailing List
> >> sr-users at lists.kamailio.org
> >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> >>
> >
> > --
> > Alex Balashov | Principal | Evariste Systems LLC
> >
> > Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
> > Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
> >
> > _______________________________________________
> > Kamailio (SER) - Users Mailing List
> > sr-users at lists.kamailio.org
> > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Daniel-Constantin Mierla -- www.asipto.com
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Funding: https://www.paypal.me/dcmierla
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> --
>
> David Cunningham, Voisonics Limited
> http://voisonics.com/
> USA: +1 213 221 1092
> New Zealand: +64 (0)28 2558 3782
>


-- 
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
New Zealand: +64 (0)28 2558 3782
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200815/6f90f41e/attachment.htm>

More information about the sr-users mailing list