How to check TLS versions available - sr-users - kamailio.org

List overview All Threads
Download

How to check TLS versions available

Can the callid be modified/mapped...

Segfault starting kamailio,...

David Cunningham

12 Aug 2020 12 Aug '20

4:44 a.m.

Hello, Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc. Thanks in advance, -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Attachments:

attachment.html (text/html — 701 bytes)

Reply

Show replies by date

Alex Balashov

12 Aug 12 Aug

5:01 a.m.

Hi, Are you looking for a way that does not require access to the Kamailio config? If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity? On 8/11/20 9:44 PM, David Cunningham wrote:

Hello, Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc. Thanks in advance, -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/

Reply

Daniel-Constantin Mierla

10:43 a.m.

Hello, for sure you can test if a specific tls version is supported, like: openssl s_client -tls1_3 ... In Kamailio one can restrict what tls versions to enable/allow via modparam or tls.cfg, but the support of tls versions is coming from libssl, so it is a matter of what libssl version is used and the distro (as I noticed some distros package libssl with older protocols disabled). Cheers, Daniel On 12.08.20 04:01, Alex Balashov wrote:

Hi, Are you looking for a way that does not require access to the Kamailio config? If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity? On 8/11/20 9:44 PM, David Cunningham wrote:

Hello, Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc. Thanks in advance, -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla

Reply

David Cunningham

13 Aug 13 Aug

4:25 a.m.

Hi Alex and Daniel, Thanks for that. If we test with -tls1 we get: Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 6063 bytes and written 231 bytes Verification error: certificate has expired --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3 Session-ID-ctx: Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8 @.rV.x&y....)... ... etc... But with -tls1_1 we get: CONNECTED(00000005) 139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 74 bytes and written 133 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 ... etc... So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions? Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working? Thanks in advance! On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <miconda(a)gmail.com> wrote:

Hello, for sure you can test if a specific tls version is supported, like: openssl s_client -tls1_3 ... In Kamailio one can restrict what tls versions to enable/allow via modparam or tls.cfg, but the support of tls versions is coming from libssl, so it is a matter of what libssl version is used and the distro (as I noticed some distros package libssl with older protocols disabled). Cheers, Daniel On 12.08.20 04:01, Alex Balashov wrote:

Hi, Are you looking for a way that does not require access to the Kamailio config? If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity? On 8/11/20 9:44 PM, David Cunningham wrote:

Hello, Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc. Thanks in advance, -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Reply

Henning Westerholt

14 Aug 14 Aug

2:17 p.m.

Hello, try "method = TLSv1+“ in the tls.cfg of Kamailio, as mentioned in the module docs. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com<https://gilawa.com/> From: sr-users <sr-users-bounces(a)lists.kamailio.org> On Behalf Of David Cunningham Sent: Thursday, August 13, 2020 3:25 AM To: Daniel-Constantin Mierla <miconda(a)gmail.com>om>; Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> Subject: Re: [SR-Users] How to check TLS versions available Hi Alex and Daniel, Thanks for that. If we test with -tls1 we get: Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 6063 bytes and written 231 bytes Verification error: certificate has expired --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3 Session-ID-ctx: Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8 @.rV.x&y....)... ... etc... But with -tls1_1 we get: CONNECTED(00000005) 139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 74 bytes and written 133 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 ... etc... So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions? Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working? Thanks in advance! On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <miconda@gmail.com<mailto:miconda@gmail.com>> wrote: Hello, for sure you can test if a specific tls version is supported, like: openssl s_client -tls1_3 ... In Kamailio one can restrict what tls versions to enable/allow via modparam or tls.cfg, but the support of tls versions is coming from libssl, so it is a matter of what libssl version is used and the distro (as I noticed some distros package libssl with older protocols disabled). Cheers, Daniel On 12.08.20 04:01, Alex Balashov wrote:

Hi, Are you looking for a way that does not require access to the Kamailio config? If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity? On 8/11/20 9:44 PM, David Cunningham wrote:

Hello, Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc. Thanks in advance, -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Daniel-Constantin Mierla -- www.asipto.com<http://www.asipto.com> www.twitter.com/miconda<http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda<http://www.linkedin.com/in/miconda> Funding: https://www.paypal.me/dcmierla _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Reply

David Cunningham

15 Aug 15 Aug

12:48 a.m.

Hi Henning, thanks for that. Somehow I misread the docs before. On Fri, 14 Aug 2020 at 23:17, Henning Westerholt <hw(a)skalatan.de> wrote:

Hello, try "method = TLSv1+“ in the tls.cfg of Kamailio, as mentioned in the module docs. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com *From:* sr-users <sr-users-bounces(a)lists.kamailio.org> *On Behalf Of *David Cunningham *Sent:* Thursday, August 13, 2020 3:25 AM *To:* Daniel-Constantin Mierla <miconda(a)gmail.com>om>; Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> *Subject:* Re: [SR-Users] How to check TLS versions available Hi Alex and Daniel, Thanks for that. If we test with -tls1 we get: Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 6063 bytes and written 231 bytes Verification error: certificate has expired --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3 Session-ID-ctx: Master-Key: D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8 @.rV.x&y....)... ... etc... But with -tls1_1 we get: CONNECTED(00000005) 139645110682048:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 74 bytes and written 133 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 ... etc... So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have "method = TLSv1", but my understanding is that this is the minimum and doesn't prevent using higher versions? Given that we have the Ubuntu packages for libssl1.1 (version 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) installed, does anyone know what else we need to get TLS 1.1 working? Thanks in advance! On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <miconda(a)gmail.com> wrote: Hello, for sure you can test if a specific tls version is supported, like: openssl s_client -tls1_3 ... In Kamailio one can restrict what tls versions to enable/allow via modparam or tls.cfg, but the support of tls versions is coming from libssl, so it is a matter of what libssl version is used and the distro (as I noticed some distros package libssl with older protocols disabled). Cheers, Daniel On 12.08.20 04:01, Alex Balashov wrote:

Hi, Are you looking for a way that does not require access to the Kamailio config? If so, does `openssl s_client $HOST:5061` not show this, e.g. with verbosity? On 8/11/20 9:44 PM, David Cunningham wrote:

Hello, Does anyone know of a method to check what TLS versions are available from Kamailio for clients to use? For example, is TLS 1.0 available, TLS 1.1, etc. Thanks in advance, -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

-- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782

Reply

1561

days inactive

1563

days old

sr-users@lists.kamailio.org

Manage subscription

5 comments

4 participants

tags (0)

participants (4)

Alex Balashov
Daniel-Constantin Mierla
David Cunningham
Henning Westerholt