Jump to content

68.0.14 Security upgrade

Frederic Pi

Recommended Posts

Hello, I need technical advice. In version 68.0.14 you have introduced new recommendations. You have to switch the minimum TLS and DTLS to 1.2, ok I understand and the phones are compatible. My question is about the parameter: "Ignore packets that do not match a domain on the system" should I switch it to "on", because at the time Sachim told me to deactivate it because this parameter had caused problems ...are they corrected?


Changelog 68.0.14 :

TLS: When filtering by domain is enabled, the system will not process HTTPS connections that don’t have the right server name. SIP and LDAP can still accept connections without SNI. Added SHA512/RSA signature for certificates.




Cordialement, Frédéric PI.

Link to comment
Share on other sites

TLS 1.0 and TLS 1.1 are increasingly seen as security risks, and so they should be turned off. For example, Safari shows that the web site is insecure with a big warning when they find out that the web server would allow TLS 1.0 or 1.1. Practically everything supports TLS 1.2 today, so it makes sense to make that the minimum version. 

The main exception is old VoIP phones. Some phones are so old that there is no firmware update available that would include TLS 1.2. My opinion is that they are not secure anyway and should not use TLS, and use TCP instead. This should work in many cases, except when there are firewalls that modify SIP/TCP packets. 

The bottom line is that for new installations I would definitively recommend to use TLS 1.2. For existing installations the motto is "never touch a running system" unless there is a need. When an old installation needs to use apps, that might be the need to upgrade to TLS 1.2 and move old devices to TCP. 

I would also recommend to turn the "ignore packets ..." setting on so that scanners cannot guess the DNS name for the server and do bigger damage. This should be working very well now in 68.0.14 where this is also happening on HTTP/TLS level when there are clients that don't indicate the server name. 

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...