Debugging TLS problems

From MiRTA PBX documentation
Jump to navigation Jump to search

There is a problem with CentOS 9 and TLS with Asterisk. These tools may help to identify the issue

List all the ciphers available

 openssl ciphers -v

Check the ciphers available on a SSL server

 openssl s_client -connect pbx.mirtapbx.com:5061 -cipher ALL

Check the protocols available on SSL server

 testssl.sh pbx.mirtapbx.com:5081

To check for the ciphers available on a client, dump the packets with tshark

 tshark -i eth0 -w /var/www/html/tls.pcap -s 1500 -f 'host 176.206.10.252 and port 5061'

And then process in wireshark using the ssl.handshake filter. Look for the Secure Socket Layer section

Enable LEGACY support

  update-crypto-policies --set LEGACY

Check support level

  update-crypto-policies --show

In pjsip.conf now you can use

 method=tlsv1_2
 cipher=DEFAULT,@SECLEVEL=1