Bug#873798: chan_pjsip does not support TLSv1.1+
Bernhard Schmidt
berni at debian.org
Wed Apr 4 08:49:05 BST 2018
On Wed, Apr 04, 2018 at 09:03:56AM +0200, Bernhard Schmidt wrote:
> > Source: asterisk
> > Version: 1:13.14.1~dfsg-2
> > Severity: important
> > Tags: upstream
> >
> > chan_pjsip does not support TLSv1.1 and above.
> >
> > See upstream bug
>
> I'm not sure when it was fixed (the upstream bug is untouched) and
> whether the problem was in asterisk, in pjproject or in the combination
> of those, but Asterisk 1:13.17.2~dfsg-2 together with pjproject 2.7.2 on
> sid works with TLSv1.2
>
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
>
> If someone finds the necessary commits in either Asterisk or pjproject
> I'm willing to send this to the SRM for inclusion in Stretch.
There is
https://github.com/asterisk/asterisk/commit/ec1f4bf48df6b893268ed36439a8680b7e4a253e
. Adding that on top of the Stretch version allows pjsip to use TLSv1.2
with
method=tlsv1_2
but the socket is only TLSv1.2 then, no TLSv1.0 anymore. I did not
manage to persuade the stretch version to support both. 13.18 supports
TLSv1.0, TLSv1.1 and TLSv1.2 on the same transport in the default
configuration.
Bernhard
More information about the Pkg-voip-maintainers
mailing list