[FS-5839] Support multiple SSL/TLS protocols on the same profile automagically Created: 02/Oct/13  Updated: 24/Feb/14  Resolved: 06/Feb/14

Status: Closed
Project: FreeSWITCH
Component/s: mod_sofia
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Kristian Kielhofner Assignee: Travis Cross
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

All


Issue Links:
Related
relates to FS-5719 TLS negotiation failing with Elliptic... Closed
CPU Architecture:
x86
Kernel:
Linux
Userland:
GNU/Linux
Compiler:
gcc
FreeSWITCH GIT Revision: All
GIT Master Revision hash:: Yes

 Description   

Assuming underlying OpenSSL support, FreeSWITCH should support at least the following SSL/TLS protocols on the same profile and socket automagically (like Apache):

SSL v2.3 (shame on you!)
TLS v1
TLS v1.1
TLS v1.2



 Comments   
Comment by Brian West [ 02/Oct/13 ]

Tested with setting the method to sslv23 on the profile does indeed support them all.

<16>:java -jar TestSSLServer.jar 192.168.1.112 5066
Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
SSLv3
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
(TLSv1.0: idem)
(TLSv1.1: idem)
TLSv1.2
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
48dec9e21d1036bc201f0b9c709fbc349616aac0: O=bkw.org, CN=pbx.bkw.org
----------------------
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected

Comment by Brian West [ 02/Oct/13 ]

Extend it. To specify protocols and possibly ciphers.

Comment by Kristian Kielhofner [ 02/Oct/13 ]

Awesome. What about only supporting > version and up automatically. Config=tlsv1:

tlsv1 supported
tlsv1.1 supported
tlsv1.2 supported

ssl v2.3 NOT supported
ssl v3 NOT supported

Comment by Travis Cross [ 05/Feb/14 ]

Talked with Brian. The current state is clearly a bit awkward. The way forward is likely to be listing the versions you want to support individually. We're looking into this.

Comment by Travis Cross [ 06/Feb/14 ]

This is now in tree; please test. You can specify one or more protocols to support, e.g.

<param name="tls-version" value="tlsv1,tlsv1.2"/>

Generated at Mon Aug 19 13:25:46 CDT 2019 using Jira 8.1.0#801000-sha1:2e1cd1bb771978cda2c5e8f3f10539ab180613f6.