Hi Henning, thanks for that. Somehow I misread the docs before.
On Fri, 14 Aug 2020 at 23:17, Henning Westerholt <[email protected]> wrote: > Hello, > > > > try "method = TLSv1+“ in the tls.cfg of Kamailio, as mentioned in the > module docs. > > > > Cheers, > > > > Henning > > > > -- > > Henning Westerholt – https://skalatan.de/blog/ > > Kamailio services – https://gilawa.com > > > > *From:* sr-users <[email protected]> *On Behalf Of *David > Cunningham > *Sent:* Thursday, August 13, 2020 3:25 AM > *To:* Daniel-Constantin Mierla <[email protected]>; Kamailio (SER) - > Users Mailing List <[email protected]> > *Subject:* Re: [SR-Users] How to check TLS versions available > > > > Hi Alex and Daniel, > > > > Thanks for that. If we test with -tls1 we get: > > > > Peer signing digest: MD5-SHA1 > Peer signature type: RSA > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 6063 bytes and written 231 bytes > Verification error: certificate has expired > --- > New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1 > Cipher : ECDHE-RSA-AES256-SHA > Session-ID: > 10059472D497ED035E53F0037275430927B06D6023A78C23CDB883503DB912F3 > Session-ID-ctx: > Master-Key: > D4542C9D23589A600554D7F0C552CE784F938341C0AFD61430AB7422CEB77EF05F783E8F787FC5CF66A27B6C996C32D8 > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 40 82 72 56 a9 78 26 79-03 1e cb 8d 29 dc 8c f8 > @.rV.x&y....)... > > ... etc... > > > > But with -tls1_1 we get: > > > > CONNECTED(00000005) > 139645110682048:error:1425F102:SSL > routines:ssl_choose_client_version:unsupported > protocol:../ssl/statem/statem_lib.c:1907: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 74 bytes and written 133 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > > ... etc... > > > > So I guess TLS 1.1 is not supported at the moment. In tls.cfg we have > "method = TLSv1", but my understanding is that this is the minimum and > doesn't prevent using higher versions? > > > > Given that we have the Ubuntu packages for libssl1.1 (version > 1.1.1-1ubuntu2.1~18.04) and libssl-dev (version 1.1.1-1ubuntu2.1~18.04) > installed, does anyone know what else we need to get TLS 1.1 working? > > > > Thanks in advance! > > > > > > > > On Wed, 12 Aug 2020 at 20:08, Daniel-Constantin Mierla <[email protected]> > wrote: > > Hello, > > for sure you can test if a specific tls version is supported, like: > > openssl s_client -tls1_3 ... > > In Kamailio one can restrict what tls versions to enable/allow via > modparam or tls.cfg, but the support of tls versions is coming from > libssl, so it is a matter of what libssl version is used and the distro > (as I noticed some distros package libssl with older protocols disabled). > > Cheers, > Daniel > > On 12.08.20 04:01, Alex Balashov wrote: > > Hi, > > > > Are you looking for a way that does not require access to the Kamailio > > config? > > > > If so, does `openssl s_client $HOST:5061` not show this, e.g. with > > verbosity? > > > > > > On 8/11/20 9:44 PM, David Cunningham wrote: > >> Hello, > >> > >> Does anyone know of a method to check what TLS versions are available > >> from Kamailio for clients to use? For example, is TLS 1.0 available, > >> TLS 1.1, etc. > >> > >> Thanks in advance, > >> > >> -- > >> David Cunningham, Voisonics Limited > >> http://voisonics.com/ > >> USA: +1 213 221 1092 > >> New Zealand: +64 (0)28 2558 3782 > >> > >> _______________________________________________ > >> Kamailio (SER) - Users Mailing List > >> [email protected] > >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > >> > > > > -- > > Alex Balashov | Principal | Evariste Systems LLC > > > > Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) > > Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ > > > > _______________________________________________ > > Kamailio (SER) - Users Mailing List > > [email protected] > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > -- > Daniel-Constantin Mierla -- www.asipto.com > www.twitter.com/miconda -- www.linkedin.com/in/miconda > Funding: https://www.paypal.me/dcmierla > > > _______________________________________________ > Kamailio (SER) - Users Mailing List > [email protected] > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > > > -- > > David Cunningham, Voisonics Limited > http://voisonics.com/ > USA: +1 213 221 1092 > New Zealand: +64 (0)28 2558 3782 > -- David Cunningham, Voisonics Limited http://voisonics.com/ USA: +1 213 221 1092 New Zealand: +64 (0)28 2558 3782
_______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
