Bug#966636: asterisk: after upfgrade from buster, no sip connections succeed due to silent ls 1.3 requirement

anonymous envelope anonymous at plan9.de
Fri Jul 31 20:39:51 BST 2020 

Package: asterisk
Version: 1:16.10.0~dfsg-1
Severity: normal

Dear Maintainer,

after upgrading the asterisk version from buster to testing, the pjsip channel no longer accepts any connections, due to:

SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <337678594> <SSL routines-tls_early_post_process_client_hello-unsupported protocol>

as it turns out, this is because the new asterisk version enforces a minimum tls version of 1.3, i.e., clients connecting with tls 1.2 (all of them for us, as this includes android) can no longer connect.

There doesn't seem to be a way to confifgure this in pjsip.conf, at least not a documented way, and even drastic workarounds such as method=sslv23 do not help.

I think an enforced tls 1.3 minimum version is too harsh.

For reference, here is the transport configuration that works with asterisk 16.2 in buster:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
cert_file=...
priv_key_file=...
method=tlsv1

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages asterisk depends on:
ii  adduser                  3.118
ii  asterisk-config          1:16.10.0~dfsg-1
ii  asterisk-core-sounds-en  1.6.1-1
ii  asterisk-modules         1:16.10.0~dfsg-1
ii  libc6                    2.31-2
ii  libcap2                  1:2.25-2
ii  libcrypt1                1:4.4.16-1
ii  libedit2                 3.1-20181209-1
ii  libjansson4              2.12-1
ii  libpopt0                 1.16-12
ii  libsqlite3-0             3.27.2-3
ii  libssl1.1                1.1.1d-0+deb10u3
ii  libsystemd0              241-7~deb10u4
ii  liburiparser1            0.9.1-1
ii  libuuid1                 2.33.1-0.1
ii  libxml2                  2.9.4+dfsg1-7+b3
ii  libxslt1.1               1.1.32-2.2~deb10u1
ii  lsb-base                 10.2019051400

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm                         2.03-1
ii  asterisk-voicemail [asterisk-voicemail-storage]  1:16.10.0~dfsg-1
ii  sox                                              14.4.2+git20190427-1

Versions of packages asterisk suggests:
pn  asterisk-dahdi   <none>
pn  asterisk-dev     <none>
pn  asterisk-doc     <none>
ii  asterisk-ooh323  1:16.10.0~dfsg-1
ii  asterisk-opus    13.7+20171009-2
pn  asterisk-vpb     <none>

-- no debconf information

More information about the Pkg-voip-maintainers mailing list