On Wed, Apr 04, 2018 at 09:03:56AM +0200, Bernhard Schmidt wrote: > > Source: asterisk > > Version: 1:13.14.1~dfsg-2 > > Severity: important > > Tags: upstream > > > > chan_pjsip does not support TLSv1.1 and above. > > > > See upstream bug > > I'm not sure when it was fixed (the upstream bug is untouched) and > whether the problem was in asterisk, in pjproject or in the combination > of those, but Asterisk 1:13.17.2~dfsg-2 together with pjproject 2.7.2 on > sid works with TLSv1.2 > > New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > > If someone finds the necessary commits in either Asterisk or pjproject > I'm willing to send this to the SRM for inclusion in Stretch.
There is https://github.com/asterisk/asterisk/commit/ec1f4bf48df6b893268ed36439a8680b7e4a253e . Adding that on top of the Stretch version allows pjsip to use TLSv1.2 with method=tlsv1_2 but the socket is only TLSv1.2 then, no TLSv1.0 anymore. I did not manage to persuade the stretch version to support both. 13.18 supports TLSv1.0, TLSv1.1 and TLSv1.2 on the same transport in the default configuration. Bernhard