i tried to register sip-communication over tls, but sr complained about
wrong tls version:
Oct 3 19:29:58 sip /usr/sbin/sip-proxy[31340]: ERROR: tls [tls_server.c:1174]:
tls_read_f(): TLS accept:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
rfc3261 refers to
T. Dierks and C. Allen, “The TLS protocol version 1.0,” RFC 2246,
Internet Engineering Task Force, Jan. 1999.
which is 11 years old and also to
P. Chown, “Advanced encryption standard (AES) ciphersuites for transport
layer security (TLS),” RFC 3268, Internet Engineering Task Force, June
2002.
which is 8 years old. also there is statement
The TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite [26] MUST be supported at a
minimum by implementers when TLS is used in a SIP application. For
purposes of backwards compatibility, proxy servers,
redirect servers, and registrars SHOULD support
TLS_RSA_WITH_3DES_EDE_CBC_SHA. Implementers MAY also support any other
ciphersuite.
how is it possible that sip-communicator that is much newer than those
rfcs, does not support them, but proposes in its client hello SSLv2?
nowhere in rf3261 was i able to find any references to these:
* SSLv3 - only SSLv3 connections are accepted
* SSLv2 - only SSLv2 connections, for old clients. Note: you
shouldn't use SSLv2 for anything which should be highly secure.
how is it possible that they would be ever needed? why don't we have
these kind of problems when accessing web sites? has rfc3261 somehow
got it wrong or what?
also, it was not clear from tls/README that if i set
modparam("tls", "tls_method", "SSLv23")
will it mean that TLSv1 connections (as required by rfc3261) are not
accepted if UA only support TLSv1 and proposes in client hello?
-- juha