[Freeswitch-users] Problems with TLS after upgrading to Buster

Walter Behrend info at behrend-cs.de
Tue Nov 12 21:36:46 UTC 2019 

Hi Seb + list,

I think I solved my problem. Thanks to your hint regarding openssl.cnf. I don't know what happened, but as soon as I changed the MinProtocol parameter there to TLSv1 and restarted freeswitch, everything went smooth. Unfortunately, I do not remember if the value was TLSv1.3 or TLSv1.2 previously, I just can tell you it never accepted anything below TLS 1.3

Looks now this way:


[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT at SECLEVEL=2

Everything else is like shown in your link to the diff.

Now, everything >= TLS1.0 is accepted

Thank you so much!

Cheers,
Walter

On Tue, Nov 12, 2019 at 09:27:16PM +0100, Sebastian Kemper wrote:
> On Mon, Nov 11, 2019 at 11:21:05PM +0100, Walter Behrend wrote:
> > It seems it does not matter which value I set for "tls_version" - in 
> > every case, my TLS enabled port only accepts TLS 1.3 connections. I 
> > have the problem that we're also using older phones which only support TLS 1.0.
> >
> > Error message is:
> >
> > tport_tls.c:157 tls_log_errors() TLS setup failed: 14209102:SSL 
> > routines:tls_early_post_process_client_hello:unsupported protocol
>
> Works fine here:
>
>     4   0.004770 192.168.0.120 → 192.168.0.1  TLSv1 464 Client Hello
>     6   0.193706  192.168.0.1 → 192.168.0.120 TLSv1.2 1514 Server Hello
>     7   0.193809  192.168.0.1 → 192.168.0.120 TLSv1.2 871 Certificate, Server Key Exchange, Server Hello Done
>    10   0.256056 192.168.0.120 → 192.168.0.1  TLSv1.2 141 Client Key Exchange
>    12   0.269076 192.168.0.120 → 192.168.0.1  TLSv1.2 72 Change Cipher Spec
>    14   0.269344 192.168.0.120 → 192.168.0.1  TLSv1.2 103 Encrypted Handshake Message
>
> With openssl s_client I can also connect with TLS1.0, 1.1, 1.2 and 1.3 
> (which suggests that FS isn't using system openssl config).

Actually it doesn't work fine here after all. I had updated /etc/ssl/openssl.cnf with the Debian changes, but actually

openssl_conf = default_conf

was overwritten by some OpenWrt config snippet later. I amended that and now when I set tls_version to something specific I get

    4   0.010062 192.168.0.120 → 192.168.0.1  TLSv1 464 Client Hello
    6   0.010927  192.168.0.1 → 192.168.0.120 TLSv1.2 73 Alert (Level: Fatal, Description: Protocol Version)

and when I leave it unset I get

    4   0.009440 192.168.0.120 → 192.168.0.1  TLSv1 464 Client Hello
    6   0.010884  192.168.0.1 → 192.168.0.120 TLSv1.2 73 Alert (Level: Fatal, Description: Handshake Failure)

Regards,
Seb

More information about the FreeSWITCH-users mailing list