Counterpath Bria no longer working ( RFC 5746)

[cwernstedt]

Yesterday the Bria client for iOS stopped working for all our users.

The reason according to Counterpath: The PBX must support RFC 5746 (aka Transport Layer Security (TLS) Renegotiation).

Is this supported in any of the later versions of the Vodia PBX?
 

[Scott1234]

I had noticed this issue a few months ago, your users must have only just updated the iOS app? The issue came out in this release. Bria Enterprise 6.12.1 (May 26, 2023)

Quote

Bria Enterprise 6.12.1 (May 26, 2023)

 

Click here to see details.

OpenSSL 3.0 Support

The Bria app uses OpenSSL 3.0. Ensure your service provider supports secure renegotiation as per RFC 5746. Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed.

No Logout Button for End User Portal

The Logout button is now removed from End User Portal when accessing it from within the app.

Resolved issues

• Fixed an issue where a missed call notification didn't appear properly on iOS 15.

68.0.28 was supposedly when RFC 5746 was enabled by default.

What version are you on? 

It does work in 68.0.32

[cwernstedt]

User devices are set to auto-update (iOS users don't normally select updates a la-carte), so the date of the onset of the problem dosen't correlate with when Bria release notes claims that RFC 5746 begun to be mandatory.

In any case, I'm really pissed of by Bria who pretends to offer an enterprise/teams solution when they don't communicate compatibility-breaking changes well in advance. All normal companies do this. Usually we're given a heads up of multiple months if not years, if there's a new requirement. 

Thanks for the info on 68.0.28 / 68.0.32 . When you say RFC 5746 was enabled by default, does this imply that in earlier versions, RFC 5746 could be manually enabled by setting some parameter?

We have 63.0.1 . I'm not a fan of having to panic-upgrade as past upgrades have tended to break things.

[Scott1234]

Quote

Thanks for the info on 68.0.28 / 68.0.32 . When you say RFC 5746 was enabled by default, does this imply that in earlier versions, RFC 5746 could be manually enabled by setting some parameter?

My understanding was it's there in other versions but not the default, not sure what versions. 

I could be wrong but that would be best answered by Vodia as to if you could enable it, maybe a custom entry in pbx.xml?

 

[cwernstedt]

Thanks @Scott1234 . At least now we have some hope of resolving the problem.

[Vodia PBX]

The thing is that the PBX does not pass security scans unless it supports RFC 5746. There is a vulnerability for MiM attacks that RFC 5746 resolves. I would be surprised that this would pose a problem for Bria, as practically all servers that use TLS support this RFC. Anyhow, maybe someone can pas a PCAP to us so that we can take a look what is going on. On a side note, we are starting to replace LE RSA certificates with ECDH certificates, which might also be worth testing e.g. with Bria. 

[cwernstedt]

Does Vodia v63.0.1 support RFC 5746? If not, it's not a surprise that Bria has problems now.

[Vodia PBX]

On 9/1/2023 at 3:06 AM, cwernstedt said:

Does Vodia v63.0.1 support RFC 5746? If not, it's not a surprise that Bria has problems now.

No that was introduced later.

[Scott1234]

On 9/1/2023 at 5:49 AM, Vodia PBX said:

The thing is that the PBX does not pass security scans unless it supports RFC 5746. There is a vulnerability for MiM attacks that RFC 5746 resolves. I would be surprised that this would pose a problem for Bria, as practically all servers that use TLS support this RFC. Anyhow, maybe someone can pas a PCAP to us so that we can take a look what is going on. On a side note, we are starting to replace LE RSA certificates with ECDH certificates, which might also be worth testing e.g. with Bria. 

All I can say is once the changes were made to 68.0.28 TLS and Bria worked on the mobile devices after their 6.12.1 update.