[Freeswitch-users] Problems with TLS after upgrading to Buster

Walter Behrend info at behrend-cs.de
Mon Nov 11 22:21:05 UTC 2019

Hello there,

hope someone else also had the problem - and found a solution for it.


My "internal" profile has TLS enabled with tlsv1, 1.1 and 1.2 - this worked
like a charm on stretch. I'm using the freeswitch-repos.


I upgraded to buster and here my problems started. Seems the gentls_cert
only creates SHA1 (CA)Certificates - so freeswitch started with openssl
error messages "md too weak". Tried at first to bypass this error by setting
the tls_ciphers to "DEFAULT:@SECLEVEL=0" but this error still occured.


So as a consequence, I modified the gentls_cert script and replaced
everywhere the parameter -sha1 with -sha256. This error disappeared now, but
the next one is coming up.

It seems it does not matter which value I set for "tls_version" - in every
case, my TLS enabled port only accepts TLS 1.3 connections. I have the
problem that we're also using older phones which only support TLS 1.0.


Error message is:


tport_tls.c:157 tls_log_errors() TLS setup failed: 14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol


I tried with openssl s_client and the parameters -tls1 -tls1_1 and so on -
it really only worked for -tls1_3

Any idea about this? setting tls_version to tlsv1,tlsv1.1,tlsv1.2 does not
change anything. Also setting the value just to tlsv1 does not help, I
verified this with the phones AND with openssl s_client. Still only TLS 1.3
gives results here.


Thanks in advance...






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20191111/81a13676/attachment-0001.html>

More information about the FreeSWITCH-users mailing list