Opened 10 years ago
Closed 10 years ago
#1775 closed enhancement (fixed)
Changing OpenSSL default method from TLSv1 to SSLv23 to enable enable AES-GCM cipher suites in default (thanks Alexander Traud for the patch)
Reported by: | bennylp | Owned by: | bennylp |
---|---|---|---|
Priority: | normal | Milestone: | release-2.3 |
Component: | pjlib | Version: | trunk |
Keywords: | Cc: | ||
Backport to 1.x milestone: | Backported: | no |
Description
Currently with OpenSSL, PJSIP uses TLS version 1.0 for both server and client as default. AES-GCM cipher suites require at least TLS version 1.2. In the API of PJSIP, you are able to change to PJ_SSL_SOCK_PROTO_SSL23 which uses SSLv23_method() in OpenSSL.
Although the method name indicates SSL version 2 and SSL version 3, SSLv23_method() is the default in OpenSSL because only that method enables the current, save versions. In OpenSSL 1.0.1, this is SSLv3, TLSv1, TLSv1.1, and TLSv1.2. SSLv2 is turned off (although the method name might suggest the contrary; https://www.openssl.org/docs/ssl/SSL_CTX_new.html) Consequently, SSLv23_method() enables PJ_SSL_SOCK_PROTO_SSL23, which enables TLSv1.2, which enables AES-GCM cipher suites.
Because pjsua does not offer a parameter to change the TLS protocol version, the attached patch changes the default of PJSIP to the default of OpenSSL which keeps up with future changes in OpenSSL.
Change History (1)
comment:1 Changed 10 years ago by bennylp
- Resolution set to fixed
- Status changed from new to closed
In 4869: