Hello,

 

try "method = TLSv1+“ in the tls.cfg of Kamailio, as mentioned in the module docs.

 

Cheers,

 

Henning

 

--

Henning Westerholt – https://skalatan.de/blog/

Kamailio services – https://gilawa.com

 

From: sr-users <sr-users-bounces@lists.kamailio.org> On Behalf Of David Cunningham
Sent: Thursday, August 13, 2020 3:25 AM
To: Daniel-Constantin Mierla <miconda@gmail.com>; Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: Re: [SR-Users] How to check TLS versions available

 

Hi Alex and Daniel,

 

Thanks for that. If we test with -tls1 we get:

 

Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6063 bytes and written 231 bytes
Verification error: certificate has expired
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3
    Session-ID-ctx:
    Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8   @.rV.x&y....)...

... etc...

 

But with -tls1_1 we get:

 

CONNECTED(00000005)
139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 74 bytes and written 133 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1

... etc...

 

So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions?

 

Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working?

 

Thanks in advance!

 

 

 

On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <miconda@gmail.com> wrote:

Hello,

for sure you can test if a specific tls version is supported, like:

openssl s_client -tls1_3 ...

In Kamailio one can restrict what tls versions to enable/allow via
modparam or tls.cfg, but the support of tls versions is coming from
libssl, so it is a matter of what libssl version is used and the distro
(as I noticed some distros package libssl with older protocols disabled).

Cheers,
Daniel

On 12.08.20 04:01, Alex Balashov wrote:
> Hi,
>
> Are you looking for a way that does not require access to the Kamailio
> config?
>
> If so, does `openssl s_client $HOST:5061` not show this, e.g. with
> verbosity?
>
>
> On 8/11/20 9:44 PM, David Cunningham wrote:
>> Hello,
>>
>> Does anyone know of a method to check what TLS versions are available
>> from Kamailio for clients to use? For example, is TLS 1.0 available,
>> TLS 1.1, etc.
>>
>> Thanks in advance,
>>
>> -- 
>> David Cunningham, Voisonics Limited
>> http://voisonics.com/
>> USA: +1 213 221 1092
>> New Zealand: +64 (0)28 2558 3782
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users@lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>
> -- 
> Alex Balashov | Principal | Evariste Systems LLC
>
> Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla


_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users



--

David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
New Zealand: +64 (0)28 2558 3782