Frederic Pi Posted April 25, 2022 Report Share Posted April 25, 2022 Hello, I need technical advice. In version 68.0.14 you have introduced new recommendations. You have to switch the minimum TLS and DTLS to 1.2, ok I understand and the phones are compatible. My question is about the parameter: "Ignore packets that do not match a domain on the system" should I switch it to "on", because at the time Sachim told me to deactivate it because this parameter had caused problems ...are they corrected? Changelog 68.0.14 : TLS: When filtering by domain is enabled, the system will not process HTTPS connections that don’t have the right server name. SIP and LDAP can still accept connections without SNI. Added SHA512/RSA signature for certificates. Cordialement, Frédéric PI. Quote Link to comment Share on other sites More sharing options...
Frederic Pi Posted April 25, 2022 Author Report Share Posted April 25, 2022 I'm wondering whether to swith "on" this parameter:"Ignore packets that do not match a domain on the system" Could ignore these attempts: Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted April 25, 2022 Report Share Posted April 25, 2022 TLS 1.0 and TLS 1.1 are increasingly seen as security risks, and so they should be turned off. For example, Safari shows that the web site is insecure with a big warning when they find out that the web server would allow TLS 1.0 or 1.1. Practically everything supports TLS 1.2 today, so it makes sense to make that the minimum version. The main exception is old VoIP phones. Some phones are so old that there is no firmware update available that would include TLS 1.2. My opinion is that they are not secure anyway and should not use TLS, and use TCP instead. This should work in many cases, except when there are firewalls that modify SIP/TCP packets. The bottom line is that for new installations I would definitively recommend to use TLS 1.2. For existing installations the motto is "never touch a running system" unless there is a need. When an old installation needs to use apps, that might be the need to upgrade to TLS 1.2 and move old devices to TCP. I would also recommend to turn the "ignore packets ..." setting on so that scanners cannot guess the DNS name for the server and do bigger damage. This should be working very well now in 68.0.14 where this is also happening on HTTP/TLS level when there are clients that don't indicate the server name. Quote Link to comment Share on other sites More sharing options...
Frederic Pi Posted May 26, 2022 Author Report Share Posted May 26, 2022 yes thank you vodia for this detailed explanation. I used this parameter on several systems and it works perfectly without creating any problem with legitimate equipment. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.