[FS-5839] Support multiple SSL/TLS protocols on the same profile automagically Created: 02/Oct/13  Updated: 24/Feb/14  Resolved: 06/Feb/14

Status: Closed
Project: FreeSWITCH
Component/s: mod_sofia
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Kristian Kielhofner Assignee: Travis Cross
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment: All

Issue Links:
Related
relates to FS-5719 TLS negotiation failing with Elliptic... Closed
CPU Architecture:
x86
Kernel:
Linux
Userland:
GNU/Linux
Compiler:
gcc
FreeSWITCH GIT Revision: All
GIT Master Revision hash:: Yes

 Description   
Assuming underlying OpenSSL support, FreeSWITCH should support at least the following SSL/TLS protocols on the same profile and socket automagically (like Apache):

SSL v2.3 (shame on you!)
TLS v1
TLS v1.1
TLS v1.2

 Comments   
Comment by Brian West [ 02/Oct/13 ]
Tested with setting the method to sslv23 on the profile does indeed support them all.


<16>:java -jar TestSSLServer.jar 192.168.1.112 5066
Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv3
     TLS_ECDH_ECDSA_WITH_RC4_128_SHA
     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  (TLSv1.0: idem)
  (TLSv1.1: idem)
  TLSv1.2
     TLS_ECDH_ECDSA_WITH_RC4_128_SHA
     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
     TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
     TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
  48dec9e21d1036bc201f0b9c709fbc349616aac0: O=bkw.org, CN=pbx.bkw.org
----------------------
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected
Comment by Brian West [ 02/Oct/13 ]
Extend it. To specify protocols and possibly ciphers.
Comment by Kristian Kielhofner [ 02/Oct/13 ]
Awesome. What about only supporting > version and up automatically. Config=tlsv1:

tlsv1 supported
tlsv1.1 supported
tlsv1.2 supported

ssl v2.3 NOT supported
ssl v3 NOT supported
Comment by Travis Cross [ 05/Feb/14 ]
Talked with Brian. The current state is clearly a bit awkward. The way forward is likely to be listing the versions you want to support individually. We're looking into this.
Comment by Travis Cross [ 06/Feb/14 ]
This is now in tree; please test. You can specify one or more protocols to support, e.g.

  <param name="tls-version" value="tlsv1,tlsv1.2"/>
Generated at Sun Sep 24 16:19:53 CDT 2017 using JIRA 7.3.3#73014-sha1:d5be8da522213be2ca9ad7b043c51da6e4cc9754.