[Freeswitch-users] Problems with TLS after upgrading to Buster
Sebastian Kemper
sebastian_ml at gmx.net
Tue Nov 12 21:14:54 UTC 2019
On Tue, Nov 12, 2019 at 09:27:16PM +0100, Sebastian Kemper wrote:
> On Mon, Nov 11, 2019 at 11:21:05PM +0100, Walter Behrend wrote:
> > It seems it does not matter which value I set for "tls_version" - in every
> > case, my TLS enabled port only accepts TLS 1.3 connections. I have the
> > problem that we're also using older phones which only support TLS 1.0.
> >
> > Error message is:
> >
> > tport_tls.c:157 tls_log_errors() TLS setup failed: 14209102:SSL
> > routines:tls_early_post_process_client_hello:unsupported protocol
>
> Works fine here:
>
> 4 0.004770 192.168.0.120 → 192.168.0.1 TLSv1 464 Client Hello
> 6 0.193706 192.168.0.1 → 192.168.0.120 TLSv1.2 1514 Server Hello
> 7 0.193809 192.168.0.1 → 192.168.0.120 TLSv1.2 871 Certificate, Server Key Exchange, Server Hello Done
> 10 0.256056 192.168.0.120 → 192.168.0.1 TLSv1.2 141 Client Key Exchange
> 12 0.269076 192.168.0.120 → 192.168.0.1 TLSv1.2 72 Change Cipher Spec
> 14 0.269344 192.168.0.120 → 192.168.0.1 TLSv1.2 103 Encrypted Handshake Message
>
> With openssl s_client I can also connect with TLS1.0, 1.1, 1.2 and 1.3
> (which suggests that FS isn't using system openssl config).
Actually it doesn't work fine here after all. I had updated
/etc/ssl/openssl.cnf with the Debian changes, but actually
openssl_conf = default_conf
was overwritten by some OpenWrt config snippet later. I amended that and
now when I set tls_version to something specific I get
4 0.010062 192.168.0.120 → 192.168.0.1 TLSv1 464 Client Hello
6 0.010927 192.168.0.1 → 192.168.0.120 TLSv1.2 73 Alert (Level: Fatal, Description: Protocol Version)
and when I leave it unset I get
4 0.009440 192.168.0.120 → 192.168.0.1 TLSv1 464 Client Hello
6 0.010884 192.168.0.1 → 192.168.0.120 TLSv1.2 73 Alert (Level: Fatal, Description: Handshake Failure)
Regards,
Seb
More information about the FreeSWITCH-users
mailing list