[Freeswitch-users] Problems with TLS after upgrading to Buster
sebastian_ml at gmx.net
Tue Nov 12 20:27:16 UTC 2019
On Mon, Nov 11, 2019 at 11:21:05PM +0100, Walter Behrend wrote:
> Hello there,
> I upgraded to buster and here my problems started. Seems the gentls_cert
> only creates SHA1 (CA)Certificates - so freeswitch started with openssl
> error messages "md too weak". Tried at first to bypass this error by setting
> the tls_ciphers to "DEFAULT:@SECLEVEL=0" but this error still occured.
I don't have Debian, I got OpenWrt with openssl 1.1.1d and FS 1.10.1.
Updated /etc/ssl/openssl.cnf like this:
I also used gentls_cert to create CA & server cert. But I don't get "md
too weak" when starting FS.
> So as a consequence, I modified the gentls_cert script and replaced
> everywhere the parameter -sha1 with -sha256. This error disappeared now, but
> the next one is coming up.
> It seems it does not matter which value I set for "tls_version" - in every
> case, my TLS enabled port only accepts TLS 1.3 connections. I have the
> problem that we're also using older phones which only support TLS 1.0.
> Error message is:
> tport_tls.c:157 tls_log_errors() TLS setup failed: 14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol
Works fine here:
4 0.004770 192.168.0.120 → 192.168.0.1 TLSv1 464 Client Hello
6 0.193706 192.168.0.1 → 192.168.0.120 TLSv1.2 1514 Server Hello
7 0.193809 192.168.0.1 → 192.168.0.120 TLSv1.2 871 Certificate, Server Key Exchange, Server Hello Done
10 0.256056 192.168.0.120 → 192.168.0.1 TLSv1.2 141 Client Key Exchange
12 0.269076 192.168.0.120 → 192.168.0.1 TLSv1.2 72 Change Cipher Spec
14 0.269344 192.168.0.120 → 192.168.0.1 TLSv1.2 103 Encrypted Handshake Message
With openssl s_client I can also connect with TLS1.0, 1.1, 1.2 and 1.3
(which suggests that FS isn't using system openssl config).
> Any idea about this? setting tls_version to tlsv1,tlsv1.1,tlsv1.2 does
> not change anything. Also setting the value just to tlsv1 does not
> help, I verified this with the phones AND with openssl s_client. Still
> only TLS 1.3 gives results here.
The only way to reproduce your result was to set tls-version to tls1_3.
When you grep your FS log for tls-version, do you see
"tlsv1,tlsv1.1,tlsv1.2" or "tlsv1_3"?
More information about the FreeSWITCH-users