TLS 1.0 but need TLS 1.2 for OpenVPN with Yealink Phone



  • Dear Community,

    I have a few hundred Yealink phones deployed in the field for various customers that use Yealink Phones with OpenVPN to connect.
    After upgrading some Yealink OpenVPN phones from Firmware 35.82.x.x to 35.83.x.x the OpenVPN stopped working. If we downgrade the Yealink firmware back down to 3.5.82.x.x it starts working again.
    We contacted yealink support and they said it was due to our OpenVPN server not supporting the TLS version 1.2 that they moved to in their Yealink Firmware version 35.83.x.x.

    They gave me a work around though to add this line to the OpenVPN VPN.CFG file:
    tls-version-max 1.0

    I did as they recommended and the Yealink OpenVPN phones with version 35.83.x.x started working again and getting and OpenVPN connection.

    I’m running pfSense Version:
    2.4.3-RELEASE (amd64)
    built on Mon Mar 26 18:02:04 CDT 2018
    FreeBSD 11.1-RELEASE-p7

    My Question is:

    1. What TLS version is running or available on my pfSense version 2.4.3?
    2. If not TLS 1.2 then when is TLS 1.2 planned to updated on future versions of pfsense?
    3. If at TLS 1.2 then why adding this line “tls-version-max 1.0” to the OpenVPN config file would make it start working? (Maybe that is an OpenVPN support question I should post on another forum for OpenVPN But I thought someone may have some idea here.)

    Thanks in advance for any advice or comments anyone may have.

    Regards, Rick



  • TLS version 1.2 has been supported for a long while already in pfSense’s OpenVPN implementation. Whatever the problem is it’s not the TLS version supported by OpenVPN in pfSense.



  • @kpa Thanks for your reply. That is interesting and good to know.

    I wonder why adding this line “tls-version-max 1.0” to the OpenVPN clients VPN.CFG fixes the issue with the OpenVPN connection on the Yealink phones.

    Is there any place to set what TLS version on the pfSense’s OpenVPN server config uses on pfSense? or is it just only TLS 1.2 it can use?

    Rick


  • Rebel Alliance

    You can set in the vpn custom options box for the server if you want.

    I have
    tls-version-min 1.2

    Set in mine. For long time I have had it set like that. So yeah openvpn has supported it since I believe 2.3.3



  • @johnpoz Thanks for the reply.

    I tried your fix and it must have worked to change the VPN server to TLS 1.2… Because all the VPN phones (200+) in the field with the old firmware and OpenVPN, using TLS 1.0 I would guess, stopped working.
    I had to remove that custom and then they could connect again.

    Question: Anyway to make it optional so it will work with TLS 1.0 and/or TLS 1.2 by the remote OpenVPN clients (phones)?

    It is a little bit of a “Chicken or Egg” thing.
    Those phones are remote… The only way I can access them is from a OpenVPN connection.
    If I need to update the firmware on them then the OpenVPN will no longer work.
    If I change the OpenVPN server to use customer TLS 1.2 then all the VPN phones on old firmware and OpenVPN using TLS 1.0 stops working. Then there is no way to support or remote to them.

    Thanks for you input and help so far. I’m getting there slowly but surely.

    Rick


  • Rebel Alliance

    @khunit

    Well if you set ““tls-version-max 1.0”” make on the phone, and then min 1.2 on the server then yeah your going to have a bad day 😉

    I was not suggesting that as any sort of a fix, just showing that openvpn supports 1.2 and has supported it for long time, and I connect only with 1.2 for years. 2.3.3 was like 2014 time frame…

    You have something else going on vs just the tls version.



  • @johnpoz

    John,

    The TLS version is not set to Min or Max or anything on the old phones, for years now… 2010 or 2011 maybe, and when I set TLS on the OpenVPN server to 1.2 under customer today as a test. Then they all cannot connect. My guess is that the older phones firmware does not support TLS 1.2 obviously.

    So on the OpenVPN server on pfSense 2.4.3_1 what version of TLS do you think it defaults to?
    Only TLS 1.0 or TLS 1.2 works on it at a time? Not both at same time can work?

    Yeah right there maybe something else going on but I’m not sure what that would be as if I add this “tls-version-max 1.0” to the phones OpenVPN VPN.CFG file all works with the phones new Firmware version. In a simple world it that would tell me that it is a TLS problem… Of course it is IT related so the root cause may not be simple.

    Thanks for you replies and help! Rick


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy