From 1a9555f0363e9cdf94144084e6ba6fc64d6fe2f9 Mon Sep 17 00:00:00 2001
From: Alexander Traud <pabstraud@compuserve.com>
Date: Thu, 18 Aug 2016 16:21:25 +0200
Subject: [PATCH] sip.conf: tlsclientmethod is using sslv23 as default.
When 'tlsclientmethod' is not specified in sip.conf, chan_sip uses the OpenSSL
SSLv23_method. This was documented incorrectly in the file sip.conf.sample.
SSLv23_method got its name in the 90s. Today, with OpenSSL 1.0.2, this method
enables (just) the secure TLSv1.0 and TLSv1.2. Or stated differently, that
function should have been called 'secure_method' or 'automatic_method' back in
the 90s.
Consequently please, specify 'tlsclientmethod=tlsv1' in your sip.conf only if
you face a server which has problems like not falling back to TLSv1.0
automatically.
ASTERISK-24425
Change-Id: I502ce6146b4504cadfd3973af8d6ec3994f54fa3
---
configs/samples/sip.conf.sample | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/configs/samples/sip.conf.sample b/configs/samples/sip.conf.sample
index a7b74df690..da176b4d66 100644
--- a/configs/samples/sip.conf.sample
+++ b/configs/samples/sip.conf.sample
@@ -611,7 +611,16 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
;
;tlsclientmethod=tlsv1 ; values include tlsv1, sslv3, sslv2.
; Specify protocol for outbound client connections.
- ; If left unspecified, the default is sslv2.
+ ; If left unspecified, the default is the general-
+ ; purpose version-flexible SSL/TLS method (sslv23).
+ ; With that, the actual protocol version used will
+ ; be negotiated to the highest version mutually
+ ; supported by Asterisk and the remote server, i.e.
+ ; TLSv1.2. The supported protocols are listed at
+ ; http://www.openssl.org/docs/ssl/SSL_CTX_new.html
+ ; SSLv2 and SSLv3 are disabled within Asterisk.
+ ; Your distribution might have changed that list
+ ; further.
;
;--------------------------- SIP timers ----------------------------------------------------
; These timers are used primarily in INVITE transactions.
--
GitLab