- Communicator/gloCOM applications
- SSL certificate
- Disable TLS v1 and v1.1 in the nginx configuration
-Execute the following command -> "nano /opt/pbxware/pw/etc/nginx/nginx.conf"
-Please find the following line -> "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;".
-Copy the line above and paste it below, so you would have duplicates
-Delete the following from the first line -> "TLSv1"
-Add a "#" in front of the second line -> "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;"
-Save the document -> CTRL + S
-Exit the document -> CTRL + X
Further, next to the version, there is a possibility that a security check will still contain reg flags due to the ciphers listed. You can modify the list of ciphers to only leave those that support TLS v1.2:
Replace the line:
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!MD5';
with
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!MD5:!PSK:!RC4';
The "!" symbol in front of a cipher suite name indicates that the cipher suite is being excluded from the list of available cipher suites. The excluded cipher suites are typically ones that are considered weak or have known vulnerabilities that could be exploited by attackers.
In the case of "!eNULL", it means that cipher suites that allow for a null (i.e., zero-length) encryption algorithm are being excluded. Similarly, "!aNULL" indicates that cipher suites that allow for a null authentication algorithm are being excluded, and "!EXPORT" indicates that cipher suites that use weak, export-grade encryption algorithms are being excluded.
By excluding these weak cipher suites, the overall security of the SSL/TLS connection is improved, as the remaining cipher suites are considered to be more secure and less susceptible to attacks.
/opt/pbxware/sh/pbxware stop --> to stop the PBXware
/opt/pbxware/sh/pbxware start --> to start the PBXware
Please note that some older phones might not work with TLS v1.2, so if you plan on disabling TLS v1 and v1.1, please make sure to verify the phone models and what TLS version is supported by the phones you use.
- Vulnerabilities detected on port 5061
To check the current ciphers and the used method, run:
asterisk -rx 'pjsip show transport tls'
If the vulnerabilities are reported for SIP TLS on port 5061, it might be due to the ciphers that are detected for the default TLS settings. By default, the ciphers that are supported on PBXware are: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, and the ones that support TLS v1 and v1.1 are:
To disable the usage of ciphers that support TLS v1 and v1.1, you can modify the method that is used.
Currently, by default, the method that is used is sslv23, and you can change the method to tlsv1_2.
sslv23 is a method that allows the server and client to negotiate the highest mutually supported SSL/TLS version for secure communication. This means that if the client supports SSLv3, TLSv1, TLSv1.1, and TLSv1.2, and the server supports TLSv1.2, the two endpoints will negotiate and use TLSv1.2 for the secure connection.
On the other hand, tlsv1_2 is a specific method that enforces the use of the TLSv1.2 protocol only for secure communication and will not allow the use of any other SSL/TLS protocol versions. This is a more strict method that provides a higher level of security than sslv23.
While sslv23 provides more flexibility in terms of protocol negotiation, it may also allow the use of older and potentially insecure SSL/TLS versions if both client and server support them. tlsv1_2, on the other hand, ensures that only the most secure TLS version is used, but may limit the compatibility with older endpoints that do not support TLSv1.2.
To change this, you would add this line into the Protocols section.
[transport-secure-tpl] method=tlsv1_2
After that, please make sure to restart PBXware, and the changes will be applied.
/opt/pbxware/sh/pbxware restart
openssl s_client -connect IP:5061 -tls1_1 openssl s_client -connect IP:5061 -tls1
Where you will change 'IP' to your IP/hostname. For example:
If the output is as shown above, it means that there are no ciphers detected on port 5061 for TLS v1.1.
You can run the same command for TLS v1.2 as shown above, and if there are certificate details shown, it means that the version is supported and can be used.
- 112-bits ciphers
If the security condition is that ciphers are at least 256 bits, and there are warnings for 112-bit ciphers, please make sure to remove all 'DES' ciphers from the configuration file.
Accepted TLSv1.2 112 bits TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1.2 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA