Feature Request - TLSv1.1, 1.2, 1.3 and Stronger Cipher Support

Are there any plans to update FreePBX 13 or 14 to support TLS v1.1 or higher? It seems the majority of the web is on v1.2 and headed to v1.3?

This seems like an “if you build it they will come…” kind of scenario where either the PBX developers or the endpoint developers have to make the first step in adding this increased security before the other party will.

Also, stronger cipher support would be appreciated too. I currently have a number of softphones that suport stronger ciphers but I receive the following error messages in my FreePBX logfile when this setting is on the endpoints.

[2016-08-11 16:54:34] WARNING[28609][C-0000001b] sdp_srtp.c: Unsupported crypto suite: AES_256_CM_HMAC_SHA1_80
[2016-08-11 16:54:34] WARNING[28609][C-0000001b] sdp_srtp.c: Unsupported crypto suite: AES_256_CM_HMAC_SHA1_32
[2016-08-11 16:54:34] WARNING[28609][C-0000001b] sdp_srtp.c: Unsupported crypto suite: AES_192_CM_HMAC_SHA1_80
[2016-08-11 16:54:34] WARNING[28609][C-0000001b] sdp_srtp.c: Unsupported crypto suite: AES_192_CM_HMAC_SHA1_32

Thanks.

FreePBX requires TLS v1.2. The error you’re seeing is from Asterisk.

There was a guy last week who asked for weaker crypto support for Grandstreams. Gotta pick your battles :wink:

Is it not possible to incorporate support for multiple TLS versions and cipher suites simultaneously? I’ve set up a number of web servers and email servers that allow clients supporting different TLS versions to connect.

As the client devices get upgraded, support for older TLS versions and weaker cipher suites can be phased out step-wise.

As I mentioned initially, there isn’t a lot of incentive for VoIP desk phone manufacturers (for example) to include recent TLS version support and stronger cipher suites if the PBX software doesn’t.

I think all developers of PBX software need to take the lead on security and device manufacturers will follow suit.