Hi, I am trying to add a SIP trunk that will use tlsv1_3 tlsv1.3 as the SSL method, however under Setting >Asterisk SIP settings > TSL/SSL/SRTP section the drop down doesn’t include tlsv1_3.
How can I add this option ?
I’ve tried FreePBX 17 which runs Asterisk 21.3 and PJSIP 2.14.1
I’ve looked at the files in /etc/asterisk for pjsip i.e. pjsip.transports.conf but they all say ‘don’t edit’
Any help gratefully received.
Thanks
Try adding to /etc/asterisk/pjsip.transports_custom_post.conf
[0.0.0.0-tls](+type=transport)
method=tlsv1_3
Thanks, I try tomorrow.
Does this add the option to the GUI or just make the attempt use TLS 1.3 ?
Thanks again
It’s just a manual override – the option will still be missing from the GUI.
Note that you must restart (not just reload) Asterisk for the change to take effect.
Thanks.
I tried that but it didn’t work, pjsip show transports afterwards no longer showed 0.0.0.0-tls just the 0.0.0.0-udp one.
tcpdump didn’t show any attempt to initiate a TLS exchange.
I’ll keep playing but any more suggestions gratefully received.
Thanks
Strange, I just tested by pasting from my previous post, then running
fwconsole restart
pjsip show transports
still shows both transports and
pjsip show transport 0.0.0.0-tls
now shows
method : tlsv1_3
However, I’m running Asterisk 18.20.2; possibly your version was not properly configured with tlsv1.3. In any case, look at the Asterisk log created by the restart and with luck there will be a useful error message.
Hmmm, will try again.
I used ‘core restart gracefully’ from with asterisk cli, thought that would be the same thing.
I’ll see later when I fire the machine up again.
Thanks for all the replies.
unless all of pjsip and freepbx is compiled with TLS 1.3 support, I don’t think you will have much luck (same story with chan_sip)
You should ask Sangoma if it has been.
Thanks, I did see on another search something about recompiling asterisk with pjsip patches but that is bound my skill set.
How to a ask sangoma, I’ve looked at their support portal but failed. I don’t have a paid for support account I just trying a few things out at home.
Thanks
Asterisk has been supporting TLSv1.3 since the release of Asterisk 18. Openssl has had TLS1.3 support since Openssl 1.1.1. Since this is an install of FreePBX v17 (Asterisk v21 being used) then it is on Debian 12 which has Openssl 3.x.x installed. So all of this is supported except for the fact the FreePBX GUI doesn’t have 1.3 listed as an option.
While the OP was giving the method to add/modify the method being used in a custom file, the required restart of Asterisk for the change to fully be in place was glossed over and not mentioned. Which could be why the OP still can’t see it.
Hi, thanks for the reply.
I did restart Asterisk after editing the custom file.
I’ve wiped the VM clean and will will do a fresh reinstall as I tried a few other things as well so I want to start again from a clean state.
Open a feature request to have this added to the GUI: GitHub - FreePBX/issue-tracker: The unified FreePBX issue tracker.
Thanks for the link, I’ve submitted one as suggested
just fyi - Added “tlsv1_3” option in the UI fix has been pushed to sipsettings v17.0.6.9.
Thanks
Thanks, when will that be released please ?
Its in the sipsettings v17.0.6.9 EDGE release.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.