cwernstedt Posted August 29, 2023 Report Posted August 29, 2023 Yesterday the Bria client for iOS stopped working for all our users. The reason according to Counterpath: The PBX must support RFC 5746 (aka Transport Layer Security (TLS) Renegotiation). Is this supported in any of the later versions of the Vodia PBX? Quote
Scott1234 Posted August 29, 2023 Report Posted August 29, 2023 I had noticed this issue a few months ago, your users must have only just updated the iOS app? The issue came out in this release. Bria Enterprise 6.12.1 (May 26, 2023) Quote Bria Enterprise 6.12.1 (May 26, 2023) Click here to see details. OpenSSL 3.0 Support The Bria app uses OpenSSL 3.0. Ensure your service provider supports secure renegotiation as per RFC 5746. Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. No Logout Button for End User Portal The Logout button is now removed from End User Portal when accessing it from within the app. Resolved issues Fixed an issue where a missed call notification didn't appear properly on iOS 15. 68.0.28 was supposedly when RFC 5746 was enabled by default. What version are you on? It does work in 68.0.32 Quote
cwernstedt Posted August 30, 2023 Author Report Posted August 30, 2023 User devices are set to auto-update (iOS users don't normally select updates a la-carte), so the date of the onset of the problem dosen't correlate with when Bria release notes claims that RFC 5746 begun to be mandatory. In any case, I'm really pissed of by Bria who pretends to offer an enterprise/teams solution when they don't communicate compatibility-breaking changes well in advance. All normal companies do this. Usually we're given a heads up of multiple months if not years, if there's a new requirement. Thanks for the info on 68.0.28 / 68.0.32 . When you say RFC 5746 was enabled by default, does this imply that in earlier versions, RFC 5746 could be manually enabled by setting some parameter? We have 63.0.1 . I'm not a fan of having to panic-upgrade as past upgrades have tended to break things. Quote
Scott1234 Posted August 30, 2023 Report Posted August 30, 2023 Quote Thanks for the info on 68.0.28 / 68.0.32 . When you say RFC 5746 was enabled by default, does this imply that in earlier versions, RFC 5746 could be manually enabled by setting some parameter? My understanding was it's there in other versions but not the default, not sure what versions. I could be wrong but that would be best answered by Vodia as to if you could enable it, maybe a custom entry in pbx.xml? Quote
cwernstedt Posted August 30, 2023 Author Report Posted August 30, 2023 Thanks @Scott1234 . At least now we have some hope of resolving the problem. Quote
Vodia PBX Posted August 31, 2023 Report Posted August 31, 2023 The thing is that the PBX does not pass security scans unless it supports RFC 5746. There is a vulnerability for MiM attacks that RFC 5746 resolves. I would be surprised that this would pose a problem for Bria, as practically all servers that use TLS support this RFC. Anyhow, maybe someone can pas a PCAP to us so that we can take a look what is going on. On a side note, we are starting to replace LE RSA certificates with ECDH certificates, which might also be worth testing e.g. with Bria. Quote
cwernstedt Posted September 1, 2023 Author Report Posted September 1, 2023 Does Vodia v63.0.1 support RFC 5746? If not, it's not a surprise that Bria has problems now. Quote
Vodia PBX Posted September 3, 2023 Report Posted September 3, 2023 On 9/1/2023 at 3:06 AM, cwernstedt said: Does Vodia v63.0.1 support RFC 5746? If not, it's not a surprise that Bria has problems now. No that was introduced later. Quote
Scott1234 Posted September 4, 2023 Report Posted September 4, 2023 On 9/1/2023 at 5:49 AM, Vodia PBX said: The thing is that the PBX does not pass security scans unless it supports RFC 5746. There is a vulnerability for MiM attacks that RFC 5746 resolves. I would be surprised that this would pose a problem for Bria, as practically all servers that use TLS support this RFC. Anyhow, maybe someone can pas a PCAP to us so that we can take a look what is going on. On a side note, we are starting to replace LE RSA certificates with ECDH certificates, which might also be worth testing e.g. with Bria. All I can say is once the changes were made to 68.0.28 TLS and Bria worked on the mobile devices after their 6.12.1 update. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.