1. Bicom Systems
  2. Solution home
  3. PBXware
  4. HOWTOs

HOWTO SSL/TLS Vulnerabilities

NOTE: PBXware version 7 and above have old TLS versions disabled by default
  • Communicator/gloCOM applications

On the latest PBXware version (6.7.x) our application (Communicator, gloCOM) is using TLS v1.2, so please make sure your systems are on the latest PBXware version. 

  • SSL certificate 
To avoid vulnerabilities reported due to the SSL certificate, please make sure you have a valid SSL certificate issued for your domain and that you are accessing your system using the domain. If you access the Web GUI with an IP address, the certificate will not be detected as a valid SSL certificate can be issued only for a valid domain. 

  • Disable TLS v1 and v1.1 in the nginx configuration 

To disable TLS v1 and v1.1 in the nginx configuration for Web GUI, and the configuration that is served to the phones when auto-provisioning, please follow the instructions: 

-SSH to your system
-Execute the following command -> "nano /opt/pbxware/pw/etc/nginx/nginx.conf"
-Please find the following line -> "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;". 

NOTE: Please note that there are 2 different sections within the nginx.conf containing these lines: a section for port 443 (standard HTTPS port) and a section for port 6443 (HTTPS port that might be used for other purposes as well). It should be enough to make changes only for port 443, but if necessary, please make the same changes to port 6443 as well. 

-Copy the line above and paste it below, so you would have duplicates
-Delete the following from the first line -> "TLSv1"
-Add a "#" in front of the second line -> "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;"
-Save the document -> CTRL + S
-Exit the document -> CTRL + X

Further, next to the version, there is a possibility that a security check will still contain reg flags due to the ciphers listed. You can modify the list of ciphers to only leave those that support TLS v1.2: 

Replace the line: 




The "!" symbol in front of a cipher suite name indicates that the cipher suite is being excluded from the list of available cipher suites. The excluded cipher suites are typically ones that are considered weak or have known vulnerabilities that could be exploited by attackers.

In the case of "!eNULL", it means that cipher suites that allow for a null (i.e., zero-length) encryption algorithm are being excluded. Similarly, "!aNULL" indicates that cipher suites that allow for a null authentication algorithm are being excluded, and "!EXPORT" indicates that cipher suites that use weak, export-grade encryption algorithms are being excluded.

By excluding these weak cipher suites, the overall security of the SSL/TLS connection is improved, as the remaining cipher suites are considered to be more secure and less susceptible to attacks.

After you have done the above, please restart the PBXware in the following way:
/opt/pbxware/sh/pbxware stop --> to stop the PBXware
/opt/pbxware/sh/pbxware start --> to start the PBXware

Please note that some older phones might not work with TLS v1.2, so if you plan on disabling TLS v1 and v1.1, please make sure to verify the phone models and what TLS version is supported by the phones you use.

  • Vulnerabilities detected on port 5061

To check the current ciphers and the used method, run: 

asterisk -rx 'pjsip show transport tls'

If the vulnerabilities are reported for SIP TLS on port 5061, it might be due to the ciphers that are detected for the default TLS settings. By default, the ciphers that are supported on PBXware are: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, and the ones that support TLS v1 and v1.1 are: 


To disable the usage of ciphers that support TLS v1 and v1.1, you can modify the method that is used. 

Currently, by default, the method that is used is sslv23, and you can change the method to tlsv1_2. 

sslv23 is a method that allows the server and client to negotiate the highest mutually supported SSL/TLS version for secure communication. This means that if the client supports SSLv3, TLSv1, TLSv1.1, and TLSv1.2, and the server supports TLSv1.2, the two endpoints will negotiate and use TLSv1.2 for the secure connection.

On the other hand, tlsv1_2 is a specific method that enforces the use of the TLSv1.2 protocol only for secure communication and will not allow the use of any other SSL/TLS protocol versions. This is a more strict method that provides a higher level of security than sslv23.

While sslv23 provides more flexibility in terms of protocol negotiation, it may also allow the use of older and potentially insecure SSL/TLS versions if both client and server support them. tlsv1_2, on the other hand, ensures that only the most secure TLS version is used, but may limit the compatibility with older endpoints that do not support TLSv1.2.

To change this, you would add this line into the Protocols section.


After that, please make sure to restart PBXware, and the changes will be applied.


/opt/pbxware/sh/pbxware restart

You can check with openssl as well if there are any ciphers detected on the system for TLS v1 and v1.1 -> 
Run the commands below from your machine:

openssl s_client -connect IP:5061 -tls1_1
openssl s_client -connect IP:5061 -tls1

Where you will change 'IP' to your IP/hostname. For example:

If the output is as shown above, it means that there are no ciphers detected on port 5061 for TLS v1.1. 

You can run the same command for TLS v1.2 as shown above, and if there are certificate details shown, it means that the version is supported and can be used. 

  • 112-bits ciphers 

If the security condition is that ciphers are at least 256 bits, and there are warnings for 112-bit ciphers, please make sure to remove all 'DES' ciphers from the configuration file. 

Accepted  TLSv1.2  112 bits  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted  TLSv1.2  112 bits  TLS_RSA_WITH_3DES_EDE_CBC_SHA