How to use TLS 1.2 instead of TLS 1.0/1.1?


(Userjf) #1

I’m using FreePBX 15.0.17.24
Installed with newest December 2020 FreePBX ISO (STABLE SNG7-PBX-64bit-2011-5)

I’m using chan_sip trunk with Telnyx voip carrier, using TLS.

They sent me an email stating that they are deprecating TLS 1.0 and TLS 1.1 and that I need to switch to TLS 1.2 as they can see the connection is currently using either 1.0 or 1.1

What exactly do I need to change in FreePBX to make the connection use TLS 1.2 instead of 1.0/1.1?

Here is my chan_sip trunk outgoing settings:

username=xxxxx
type=peer
transport=tls
secret=xxxxxx
insecure=port,invite
host=sip.telnyx.com
fromdomain=sip.telnyx.com
encryption=yes
context=from-trunk
disallow=all
allow=ulaw

And trunk incoming register string:

tls://xxxxxx:xxxxxxxxxx@sip.telnyx.com:5061~300/xxxxxxxxx`


(Itzik) #2

Settings > Asterisk SIP Settings > Chan PJSIP Settings > TLS/SSL/SRTP Settings > SSL Method > tlsv1_2


(Userjf) #3

That is pjsip. I’m using chan_sip. What is the method to change it in chan_sip?


(Itzik) #4

Switching to chan_pjsip :slight_smile:


(Userjf) #5

If that is the only option, I’ll do that. I’ve just always used chan_sip and it has always been solid.


#6

This may be of interest: https://community.asterisk.org/t/enable-tlsv1-2-only-in-sip-tls-transport/74993/7


#7

I realize that link is about server connections, not client. But presumably if it can use TLS 1.3 as server, it can do the same as client.

BTW this is what I get when connecting to one of my PBXs with openssl. Strictly chan_sip, running Asterisk 16.6:

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)