[Freeswitch-users] Problems with TLS after upgrading to Buster

Sebastian Kemper sebastian_ml at gmx.net
Tue Nov 12 20:27:16 UTC 2019 

On Mon, Nov 11, 2019 at 11:21:05PM +0100, Walter Behrend wrote:
> Hello there,

Hi Walter,

> I upgraded to buster and here my problems started. Seems the gentls_cert
> only creates SHA1 (CA)Certificates - so freeswitch started with openssl
> error messages "md too weak". Tried at first to bypass this error by setting
> the tls_ciphers to "DEFAULT:@SECLEVEL=0" but this error still occured.

I don't have Debian, I got OpenWrt with openssl 1.1.1d and FS 1.10.1.
Updated /etc/ssl/openssl.cnf like this:

https://sources.debian.org/src/openssl/1.1.1c-1/debian/patches/Set-systemwide-default-settings-for-libssl-users.patch/

I also used gentls_cert to create CA & server cert. But I don't get "md
too weak" when starting FS.

> So as a consequence, I modified the gentls_cert script and replaced
> everywhere the parameter -sha1 with -sha256. This error disappeared now, but
> the next one is coming up.
>
> It seems it does not matter which value I set for "tls_version" - in every
> case, my TLS enabled port only accepts TLS 1.3 connections. I have the
> problem that we're also using older phones which only support TLS 1.0.
>
> Error message is:
>
> tport_tls.c:157 tls_log_errors() TLS setup failed: 14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol

Works fine here:

    4   0.004770 192.168.0.120 → 192.168.0.1  TLSv1 464 Client Hello
    6   0.193706  192.168.0.1 → 192.168.0.120 TLSv1.2 1514 Server Hello
    7   0.193809  192.168.0.1 → 192.168.0.120 TLSv1.2 871 Certificate, Server Key Exchange, Server Hello Done
   10   0.256056 192.168.0.120 → 192.168.0.1  TLSv1.2 141 Client Key Exchange
   12   0.269076 192.168.0.120 → 192.168.0.1  TLSv1.2 72 Change Cipher Spec
   14   0.269344 192.168.0.120 → 192.168.0.1  TLSv1.2 103 Encrypted Handshake Message

With openssl s_client I can also connect with TLS1.0, 1.1, 1.2 and 1.3
(which suggests that FS isn't using system openssl config).

> Any idea about this? setting tls_version to tlsv1,tlsv1.1,tlsv1.2 does
> not change anything. Also setting the value just to tlsv1 does not
> help, I verified this with the phones AND with openssl s_client. Still
> only TLS 1.3 gives results here.

The only way to reproduce your result was to set tls-version to tls1_3.
When you grep your FS log for tls-version, do you see
"tlsv1,tlsv1.1,tlsv1.2" or "tlsv1_3"?

Regards,
Seb

More information about the FreeSWITCH-users mailing list