pjsua: SSL instead of TLS

KD
Klaus Darilion
Fri, Feb 8, 2008 1:14 PM

Hi!

I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3
compatible Hello whereas SIP requires TLS.

regards
klaus

Hi! I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3 compatible Hello whereas SIP requires TLS. regards klaus
BP
Benny Prijono
Fri, Feb 8, 2008 3:49 PM

On 2/8/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:

Hi!

I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3
compatible Hello whereas SIP requires TLS.

Is it? I thought TLSv2/3 is okay.

Anyway, PJSIP uses TLSv23 by default. If you'd like to use TLSv1, just
add this when creating the TLS transport:

tcp_cfg.tls_setting.method = PJSIP_TLSV1_METHOD;

cheers,
-benny

regards
klaus

On 2/8/08, Klaus Darilion <klaus.mailinglists@pernau.at> wrote: > Hi! > > I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3 > compatible Hello whereas SIP requires TLS. Is it? I thought TLSv2/3 is okay. Anyway, PJSIP uses TLSv23 by default. If you'd like to use TLSv1, just add this when creating the TLS transport: tcp_cfg.tls_setting.method = PJSIP_TLSV1_METHOD; cheers, -benny > regards > klaus
KD
Klaus Darilion
Mon, Feb 11, 2008 11:17 AM

Thanks for the info.

I've checked RFC 3261: It only takes about TLS (RFC 2246) - no single
word mentions SSL.

RFC 2246 itself refers to SSL for backward compatibility reasons only.
When using openssl, it allows sending an SSLv2 ClientHello which
indicates SSLv3 and TLSv1 support too. But I'm not sure if this is
generally the case or only supported by openssl. Further, SSLv2 should
be disabled anyway (insecure).

Thus, IMO TLSv1 should be the default value. If have asked to the SIP
implementors list for clarification.

Anyway I have a feature request: allowing to set the TLS method via
command line for the pjsua client.

regards
klaus

PS: at
http://www.pjsip.org/pjsip/docs/html/structpjsip__tls__setting.htm#3a453c419c092ecc05f0141da36183fa
there is a typo (TLS instead of SSL)

PJSIP_SSLV2_METHOD(2): TLSv2

PJSIP_SSLV3_METHOD(3): TLSv3

PJSIP_SSLV23_METHOD(23): TLSv23

Benny Prijono schrieb:

On 2/8/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:

Hi!

I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3
compatible Hello whereas SIP requires TLS.

Is it? I thought TLSv2/3 is okay.

Anyway, PJSIP uses TLSv23 by default. If you'd like to use TLSv1, just
add this when creating the TLS transport:

tcp_cfg.tls_setting.method = PJSIP_TLSV1_METHOD;

cheers,
-benny

regards
klaus

Thanks for the info. I've checked RFC 3261: It only takes about TLS (RFC 2246) - no single word mentions SSL. RFC 2246 itself refers to SSL for backward compatibility reasons only. When using openssl, it allows sending an SSLv2 ClientHello which indicates SSLv3 and TLSv1 support too. But I'm not sure if this is generally the case or only supported by openssl. Further, SSLv2 should be disabled anyway (insecure). Thus, IMO TLSv1 should be the default value. If have asked to the SIP implementors list for clarification. Anyway I have a feature request: allowing to set the TLS method via command line for the pjsua client. regards klaus PS: at http://www.pjsip.org/pjsip/docs/html/structpjsip__tls__setting.htm#3a453c419c092ecc05f0141da36183fa there is a typo (TLS instead of SSL) # PJSIP_SSLV2_METHOD(2): TLSv2 # PJSIP_SSLV3_METHOD(3): TLSv3 # PJSIP_SSLV23_METHOD(23): TLSv23 Benny Prijono schrieb: > On 2/8/08, Klaus Darilion <klaus.mailinglists@pernau.at> wrote: >> Hi! >> >> I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3 >> compatible Hello whereas SIP requires TLS. > > Is it? I thought TLSv2/3 is okay. > > Anyway, PJSIP uses TLSv23 by default. If you'd like to use TLSv1, just > add this when creating the TLS transport: > > tcp_cfg.tls_setting.method = PJSIP_TLSV1_METHOD; > > cheers, > -benny > >> regards >> klaus > > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing list > pjsip@lists.pjsip.org > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
BP
Benny Prijono
Fri, Feb 15, 2008 8:11 AM

Done (http://trac.pjsip.org/repos/ticket/481). Default TLS version is
now TLSv1, and also fixed the typos (website will be updated on next
update schedule). I guess with this we don't need to have the command
line option to set TLS version in pjsua.

thanks
-benny

On 2/11/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:

Thanks for the info.

I've checked RFC 3261: It only takes about TLS (RFC 2246) - no single
word mentions SSL.

RFC 2246 itself refers to SSL for backward compatibility reasons only.
When using openssl, it allows sending an SSLv2 ClientHello which
indicates SSLv3 and TLSv1 support too. But I'm not sure if this is
generally the case or only supported by openssl. Further, SSLv2 should
be disabled anyway (insecure).

Thus, IMO TLSv1 should be the default value. If have asked to the SIP
implementors list for clarification.

Anyway I have a feature request: allowing to set the TLS method via
command line for the pjsua client.

regards
klaus

PS: at
http://www.pjsip.org/pjsip/docs/html/structpjsip__tls__setting.htm#3a453c419c092ecc05f0141da36183fa
there is a typo (TLS instead of SSL)

PJSIP_SSLV2_METHOD(2): TLSv2

PJSIP_SSLV3_METHOD(3): TLSv3

PJSIP_SSLV23_METHOD(23): TLSv23

Benny Prijono schrieb:

On 2/8/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:

Hi!

I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3
compatible Hello whereas SIP requires TLS.

Is it? I thought TLSv2/3 is okay.

Anyway, PJSIP uses TLSv23 by default. If you'd like to use TLSv1, just
add this when creating the TLS transport:

tcp_cfg.tls_setting.method = PJSIP_TLSV1_METHOD;

cheers,
-benny

regards
klaus

Done (http://trac.pjsip.org/repos/ticket/481). Default TLS version is now TLSv1, and also fixed the typos (website will be updated on next update schedule). I guess with this we don't need to have the command line option to set TLS version in pjsua. thanks -benny On 2/11/08, Klaus Darilion <klaus.mailinglists@pernau.at> wrote: > Thanks for the info. > > I've checked RFC 3261: It only takes about TLS (RFC 2246) - no single > word mentions SSL. > > RFC 2246 itself refers to SSL for backward compatibility reasons only. > When using openssl, it allows sending an SSLv2 ClientHello which > indicates SSLv3 and TLSv1 support too. But I'm not sure if this is > generally the case or only supported by openssl. Further, SSLv2 should > be disabled anyway (insecure). > > Thus, IMO TLSv1 should be the default value. If have asked to the SIP > implementors list for clarification. > > Anyway I have a feature request: allowing to set the TLS method via > command line for the pjsua client. > > regards > klaus > > > PS: at > http://www.pjsip.org/pjsip/docs/html/structpjsip__tls__setting.htm#3a453c419c092ecc05f0141da36183fa > there is a typo (TLS instead of SSL) > > # PJSIP_SSLV2_METHOD(2): TLSv2 > # PJSIP_SSLV3_METHOD(3): TLSv3 > # PJSIP_SSLV23_METHOD(23): TLSv23 > > > Benny Prijono schrieb: > > > On 2/8/08, Klaus Darilion <klaus.mailinglists@pernau.at> wrote: > >> Hi! > >> > >> I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3 > >> compatible Hello whereas SIP requires TLS. > > > > Is it? I thought TLSv2/3 is okay. > > > > Anyway, PJSIP uses TLSv23 by default. If you'd like to use TLSv1, just > > add this when creating the TLS transport: > > > > tcp_cfg.tls_setting.method = PJSIP_TLSV1_METHOD; > > > > cheers, > > -benny > > > >> regards > >> klaus > > > > > _______________________________________________ > > Visit our blog: http://blog.pjsip.org > > > > pjsip mailing list > > pjsip@lists.pjsip.org > > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org > > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing list > pjsip@lists.pjsip.org > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org >
KD
Klaus Darilion
Fri, Feb 15, 2008 10:05 AM

Benny Prijono schrieb:

Done (http://trac.pjsip.org/repos/ticket/481). Default TLS version is
now TLSv1, and also fixed the typos (website will be updated on next
update schedule). I guess with this we don't need to have the command
line option to set TLS version in pjsua.

ok. thanks

klaus

thanks
-benny

On 2/11/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:

Thanks for the info.

I've checked RFC 3261: It only takes about TLS (RFC 2246) - no single
word mentions SSL.

RFC 2246 itself refers to SSL for backward compatibility reasons only.
When using openssl, it allows sending an SSLv2 ClientHello which
indicates SSLv3 and TLSv1 support too. But I'm not sure if this is
generally the case or only supported by openssl. Further, SSLv2 should
be disabled anyway (insecure).

Thus, IMO TLSv1 should be the default value. If have asked to the SIP
implementors list for clarification.

Anyway I have a feature request: allowing to set the TLS method via
command line for the pjsua client.

regards
klaus

PS: at
http://www.pjsip.org/pjsip/docs/html/structpjsip__tls__setting.htm#3a453c419c092ecc05f0141da36183fa
there is a typo (TLS instead of SSL)

PJSIP_SSLV2_METHOD(2): TLSv2

PJSIP_SSLV3_METHOD(3): TLSv3

PJSIP_SSLV23_METHOD(23): TLSv23

Benny Prijono schrieb:

On 2/8/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:

Hi!

I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3
compatible Hello whereas SIP requires TLS.

Is it? I thought TLSv2/3 is okay.

Anyway, PJSIP uses TLSv23 by default. If you'd like to use TLSv1, just
add this when creating the TLS transport:

tcp_cfg.tls_setting.method = PJSIP_TLSV1_METHOD;

cheers,
-benny

regards
klaus

Benny Prijono schrieb: > Done (http://trac.pjsip.org/repos/ticket/481). Default TLS version is > now TLSv1, and also fixed the typos (website will be updated on next > update schedule). I guess with this we don't need to have the command > line option to set TLS version in pjsua. ok. thanks klaus > > thanks > -benny > > On 2/11/08, Klaus Darilion <klaus.mailinglists@pernau.at> wrote: >> Thanks for the info. >> >> I've checked RFC 3261: It only takes about TLS (RFC 2246) - no single >> word mentions SSL. >> >> RFC 2246 itself refers to SSL for backward compatibility reasons only. >> When using openssl, it allows sending an SSLv2 ClientHello which >> indicates SSLv3 and TLSv1 support too. But I'm not sure if this is >> generally the case or only supported by openssl. Further, SSLv2 should >> be disabled anyway (insecure). >> >> Thus, IMO TLSv1 should be the default value. If have asked to the SIP >> implementors list for clarification. >> >> Anyway I have a feature request: allowing to set the TLS method via >> command line for the pjsua client. >> >> regards >> klaus >> >> >> PS: at >> http://www.pjsip.org/pjsip/docs/html/structpjsip__tls__setting.htm#3a453c419c092ecc05f0141da36183fa >> there is a typo (TLS instead of SSL) >> >> # PJSIP_SSLV2_METHOD(2): TLSv2 >> # PJSIP_SSLV3_METHOD(3): TLSv3 >> # PJSIP_SSLV23_METHOD(23): TLSv23 >> >> >> Benny Prijono schrieb: >> >>> On 2/8/08, Klaus Darilion <klaus.mailinglists@pernau.at> wrote: >> >> Hi! >> >> >> >> I just wanted to try pjsua with TLS but it fails as pjsua sends a SSLv3 >> >> compatible Hello whereas SIP requires TLS. >> > >> > Is it? I thought TLSv2/3 is okay. >> > >> > Anyway, PJSIP uses TLSv23 by default. If you'd like to use TLSv1, just >> > add this when creating the TLS transport: >> > >> > tcp_cfg.tls_setting.method = PJSIP_TLSV1_METHOD; >> > >> > cheers, >> > -benny >> > >> >> regards >> >> klaus >> > >> >>> _______________________________________________ >> > Visit our blog: http://blog.pjsip.org >> > >> > pjsip mailing list >> > pjsip@lists.pjsip.org >> > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org >> >> _______________________________________________ >> Visit our blog: http://blog.pjsip.org >> >> pjsip mailing list >> pjsip@lists.pjsip.org >> http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org >> > > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing list > pjsip@lists.pjsip.org > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org