This is a little PSA for those that don’t keep up on things. As of March 2020 vendors have started to pull support for anything less than TLS1.2. This is from browsers vendors (Chrome, Firefox, Safari, etc) to Cisco and others. This also includes that CA authorities.
What does this mean? Well, for those using current phones not much. They support TLS1.2 so you just need to make sure your cert is current. Using older phones, like a Cisco 79XX, probably means that TLS support doesn’t exist (still on SSL versions) or they never got TLS1.2 support put into them. This also means that turning on the support for older SSL/TLS versions in OpenSSL won’t do the trick because certs will no longer have those in them.
Oh and certs that have life spans longer than 36 months are being rejected. So creating a self-sign cert for 10 years will no longer work as devices/browsers, etc will reject them (if they aren’t already).
So if you’re using EOL/out-of-date phones and TLS for your SIP connections, you should be looking at the long term and probably look at replacing the phones.
Maybe it will be security/TLS that drives more adoption of WebRTC and less of SIP for user endpoints.
I’m personally disappointed in that, because it seems to me like the VoIP community and (smaller) vendors have held back on security while every other Internet-related technology has steamed ahead, for years.
The idea of “sips:” was too difficult and fraught with gotchas and no one ever took it seriously.
No one should be deploying devices like this to production in the present day. I have them on my desk at home for amusement and hobby. If anyone is deploying this kind of legacy gear they need to think hard about what they are doing. Great deal on them from the flea market, yes… appropriate for the modern network, no.
WebRTC is just a method and transport (WS/WSS) and basically it is a SIP client since WebRTC won’t work without a Chan_SIP or Chan_PJSIP based peer/endpoint (for Asterisk). So it is still a SIP endpoint that uses WSS to connect vs UDP/TCP/TLS.
Let’s been honest, what is more the case here? Vendors being slow or the fact the VoIP community has pushed back on things that would make their 10+ yo devices no longer usable. Too much of the VoIP community relies on out-dated hardware and solutions. To make it worse, too many still advocate this is all OK and should be allowed.
Yet look at this forum and all other community forums, they are highly in use still. The Asterisk CallManager patch, making SCCP fixes for FreePBX, all that does nothing more but encourage and facilitate this.
Odds are most tls using security-conscious users aren’t using equipment that old.
But if using older phones, they’ll likely work as long as wanted. It should only be an issue if the phones interact with outside services that won’t continue to allow the older protocols. For servers under your control, it’s your choice to allow the older protocols or not - but why bother with tls if it isn’t secure.
Despite the hype, browsers will continue to function with insecure servers for the foreseeable future, they just throw up a warning, similar to using a self-signed cert.
Can you please explain a bit more? Does this mean that any certs purchased before march 31 would not help to register phones with TLS? I use mostly Mitels and I see that they have trouble registering with the certs purchased earlier than that.
It’s all over the Internet in articles and announcements. TLS1.0/1.1 has exploits and security holes and is considered insecure. While most aren’t using it there are those that will use it, like in FreePBX, because their devices don’t support TLS1.2 so they are making themselves insecure.
Just like how browsers and other things aren’t accepting certs with lifespans longer than 36 months anymore. Long term certs can end up become obsolete as things evolve. There could be people with long term certs from 7 years ago that still have 3 year left on their certs and boom, they are no good because they don’t have anything current in them for TLS1.2.
I am having trouble with certs that I purchased around 2 years back. Some of them I renewed just 2 months back and they are failing. I have since purchased a new cert from the same certificate authority and that made the phones work.
So, I am just wondering if this was known for a while, why the certs that got renewed few months back are failing. Shouldn’t they have TLS1.2 in it? Maybe, its a question that I need to address to the CA. But, just wanted to check with you first before I send this to them.
Did yours “fail” starting this past weekend? An intermediate that was in the chain of many Comodo certs expired on May 30. The solution is not to replace your server cert but to update the intermediate chain.
If you happened to buy your cert from Namecheap, those guys were issuing the expiring intermediate up through just a few weeks ago.