[Freeswitch-users] Problems with TLS after upgrading to Buster
Walter Behrend
info at behrend-cs.de
Mon Nov 11 22:21:05 UTC 2019
Hello there,
hope someone else also had the problem - and found a solution for it.
My "internal" profile has TLS enabled with tlsv1, 1.1 and 1.2 - this worked
like a charm on stretch. I'm using the freeswitch-repos.
I upgraded to buster and here my problems started. Seems the gentls_cert
only creates SHA1 (CA)Certificates - so freeswitch started with openssl
error messages "md too weak". Tried at first to bypass this error by setting
the tls_ciphers to "DEFAULT:@SECLEVEL=0" but this error still occured.
So as a consequence, I modified the gentls_cert script and replaced
everywhere the parameter -sha1 with -sha256. This error disappeared now, but
the next one is coming up.
It seems it does not matter which value I set for "tls_version" - in every
case, my TLS enabled port only accepts TLS 1.3 connections. I have the
problem that we're also using older phones which only support TLS 1.0.
Error message is:
tport_tls.c:157 tls_log_errors() TLS setup failed: 14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
I tried with openssl s_client and the parameters -tls1 -tls1_1 and so on -
it really only worked for -tls1_3
Any idea about this? setting tls_version to tlsv1,tlsv1.1,tlsv1.2 does not
change anything. Also setting the value just to tlsv1 does not help, I
verified this with the phones AND with openssl s_client. Still only TLS 1.3
gives results here.
Thanks in advance...
BR
Walter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20191111/81a13676/attachment-0001.html>
More information about the FreeSWITCH-users
mailing list