From b1fe070d0bc26088cddffa5befd64fad7130f0ee Mon Sep 17 00:00:00 2001 From: Alexander Traud Date: Thu, 18 Aug 2016 16:21:25 +0200 Subject: sip.conf: tlsclientmethod is using sslv23 as default. When 'tlsclientmethod' is not specified in sip.conf, chan_sip uses the OpenSSL SSLv23_method. This was documented incorrectly in the file sip.conf.sample. SSLv23_method got its name in the 90s. Today, with OpenSSL 1.0.2, this method enables (just) the secure TLSv1.0 and TLSv1.2. Or stated differently, that function should have been called 'secure_method' or 'automatic_method' back in the 90s. Consequently please, specify 'tlsclientmethod=tlsv1' in your sip.conf only if you face a server which has problems like not falling back to TLSv1.0 automatically. ASTERISK-24425 Change-Id: I502ce6146b4504cadfd3973af8d6ec3994f54fa3 --- configs/samples/sip.conf.sample | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'configs') diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample index 5c3238e2a..27012614e 100644 --- a/configs/samples/sip.conf.sample +++ b/configs/samples/sip.conf.sample @@ -592,7 +592,16 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; ;tlsclientmethod=tlsv1 ; values include tlsv1, sslv3, sslv2. ; Specify protocol for outbound client connections. - ; If left unspecified, the default is sslv2. + ; If left unspecified, the default is the general- + ; purpose version-flexible SSL/TLS method (sslv23). + ; With that, the actual protocol version used will + ; be negotiated to the highest version mutually + ; supported by Asterisk and the remote server, i.e. + ; TLSv1.2. The supported protocols are listed at + ; http://www.openssl.org/docs/ssl/SSL_CTX_new.html + ; SSLv2 and SSLv3 are disabled within Asterisk. + ; Your distribution might have changed that list + ; further. ; ;--------------------------- SIP timers ---------------------------------------------------- ; These timers are used primarily in INVITE transactions. -- cgit v1.2.3