Uploaded image for project: 'FreeSWITCH'
  1. FreeSWITCH
  2. FS-5839

Support multiple SSL/TLS protocols on the same profile automagically

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: mod_sofia
    • Security Level: public
    • Labels:
      None
    • Environment:
      All
    • CPU Architecture:
      x86
    • Kernel:
      Linux
    • Userland:
      GNU/Linux
    • Compiler:
      gcc
    • FreeSWITCH GIT Revision:
      All
    • GIT Master Revision hash::
      Yes

      Description

      Assuming underlying OpenSSL support, FreeSWITCH should support at least the following SSL/TLS protocols on the same profile and socket automagically (like Apache):

      SSL v2.3 (shame on you!)
      TLS v1
      TLS v1.1
      TLS v1.2

        Issue Links

          Activity

          Hide
          brian Brian West added a comment -
          Tested with setting the method to sslv23 on the profile does indeed support them all.


          <16>:java -jar TestSSLServer.jar 192.168.1.112 5066
          Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
          Deflate compression: no
          Supported cipher suites (ORDER IS NOT SIGNIFICANT):
            SSLv3
               TLS_ECDH_ECDSA_WITH_RC4_128_SHA
               TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
               TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
               TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
            (TLSv1.0: idem)
            (TLSv1.1: idem)
            TLSv1.2
               TLS_ECDH_ECDSA_WITH_RC4_128_SHA
               TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
               TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
               TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
               TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
               TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
               TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
               TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
          ----------------------
          Server certificate(s):
            48dec9e21d1036bc201f0b9c709fbc349616aac0: O=bkw.org, CN=pbx.bkw.org
          ----------------------
          Minimal encryption strength: strong encryption (96-bit or more)
          Achievable encryption strength: strong encryption (96-bit or more)
          BEAST status: vulnerable
          CRIME status: protected
          Show
          brian Brian West added a comment - Tested with setting the method to sslv23 on the profile does indeed support them all. <16>:java -jar TestSSLServer.jar 192.168.1.112 5066 Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT):   SSLv3      TLS_ECDH_ECDSA_WITH_RC4_128_SHA      TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA   (TLSv1.0: idem)   (TLSv1.1: idem)   TLSv1.2      TLS_ECDH_ECDSA_WITH_RC4_128_SHA      TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384      TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256      TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ---------------------- Server certificate(s):   48dec9e21d1036bc201f0b9c709fbc349616aac0: O=bkw.org, CN=pbx.bkw.org ---------------------- Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: vulnerable CRIME status: protected
          Hide
          brian Brian West added a comment -
          Extend it. To specify protocols and possibly ciphers.
          Show
          brian Brian West added a comment - Extend it. To specify protocols and possibly ciphers.
          Hide
          krisk Kristian Kielhofner added a comment -
          Awesome. What about only supporting > version and up automatically. Config=tlsv1:

          tlsv1 supported
          tlsv1.1 supported
          tlsv1.2 supported

          ssl v2.3 NOT supported
          ssl v3 NOT supported
          Show
          krisk Kristian Kielhofner added a comment - Awesome. What about only supporting > version and up automatically. Config=tlsv1: tlsv1 supported tlsv1.1 supported tlsv1.2 supported ssl v2.3 NOT supported ssl v3 NOT supported
          Hide
          tc Travis Cross added a comment -
          Talked with Brian. The current state is clearly a bit awkward. The way forward is likely to be listing the versions you want to support individually. We're looking into this.
          Show
          tc Travis Cross added a comment - Talked with Brian. The current state is clearly a bit awkward. The way forward is likely to be listing the versions you want to support individually. We're looking into this.
          Hide
          tc Travis Cross added a comment -
          This is now in tree; please test. You can specify one or more protocols to support, e.g.

            <param name="tls-version" value="tlsv1,tlsv1.2"/>
          Show
          tc Travis Cross added a comment - This is now in tree; please test. You can specify one or more protocols to support, e.g.   <param name="tls-version" value="tlsv1,tlsv1.2"/>

            People

            • Assignee:
              tc Travis Cross
              Reporter:
              krisk Kristian Kielhofner
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development