TLS 1.0 but need TLS 1.2 for OpenVPN with Yealink Phone
-
Dear Community,
I have a few hundred Yealink phones deployed in the field for various customers that use Yealink Phones with OpenVPN to connect.
After upgrading some Yealink OpenVPN phones from Firmware 35.82.x.x to 35.83.x.x the OpenVPN stopped working. If we downgrade the Yealink firmware back down to 3.5.82.x.x it starts working again.
We contacted yealink support and they said it was due to our OpenVPN server not supporting the TLS version 1.2 that they moved to in their Yealink Firmware version 35.83.x.x.They gave me a work around though to add this line to the OpenVPN VPN.CFG file:
tls-version-max 1.0I did as they recommended and the Yealink OpenVPN phones with version 35.83.x.x started working again and getting and OpenVPN connection.
I'm running pfSense Version:
2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7My Question is:
- What TLS version is running or available on my pfSense version 2.4.3?
- If not TLS 1.2 then when is TLS 1.2 planned to updated on future versions of pfsense?
- If at TLS 1.2 then why adding this line "tls-version-max 1.0" to the OpenVPN config file would make it start working? (Maybe that is an OpenVPN support question I should post on another forum for OpenVPN But I thought someone may have some idea here.)
Thanks in advance for any advice or comments anyone may have.
Regards, Rick
-
TLS version 1.2 has been supported for a long while already in pfSense's OpenVPN implementation. Whatever the problem is it's not the TLS version supported by OpenVPN in pfSense.
-
@kpa Thanks for your reply. That is interesting and good to know.
I wonder why adding this line “tls-version-max 1.0” to the OpenVPN clients VPN.CFG fixes the issue with the OpenVPN connection on the Yealink phones.
Is there any place to set what TLS version on the pfSense's OpenVPN server config uses on pfSense? or is it just only TLS 1.2 it can use?
Rick
-
You can set in the vpn custom options box for the server if you want.
I have
tls-version-min 1.2Set in mine. For long time I have had it set like that. So yeah openvpn has supported it since I believe 2.3.3
-
@johnpoz Thanks for the reply.
I tried your fix and it must have worked to change the VPN server to TLS 1.2... Because all the VPN phones (200+) in the field with the old firmware and OpenVPN, using TLS 1.0 I would guess, stopped working.
I had to remove that custom and then they could connect again.Question: Anyway to make it optional so it will work with TLS 1.0 and/or TLS 1.2 by the remote OpenVPN clients (phones)?
It is a little bit of a "Chicken or Egg" thing.
Those phones are remote... The only way I can access them is from a OpenVPN connection.
If I need to update the firmware on them then the OpenVPN will no longer work.
If I change the OpenVPN server to use customer TLS 1.2 then all the VPN phones on old firmware and OpenVPN using TLS 1.0 stops working. Then there is no way to support or remote to them.Thanks for you input and help so far. I'm getting there slowly but surely.
Rick
-
Well if you set "“tls-version-max 1.0”" make on the phone, and then min 1.2 on the server then yeah your going to have a bad day ;)
I was not suggesting that as any sort of a fix, just showing that openvpn supports 1.2 and has supported it for long time, and I connect only with 1.2 for years. 2.3.3 was like 2014 time frame..
You have something else going on vs just the tls version.
-
John,
The TLS version is not set to Min or Max or anything on the old phones, for years now... 2010 or 2011 maybe, and when I set TLS on the OpenVPN server to 1.2 under customer today as a test. Then they all cannot connect. My guess is that the older phones firmware does not support TLS 1.2 obviously.
So on the OpenVPN server on pfSense 2.4.3_1 what version of TLS do you think it defaults to?
Only TLS 1.0 or TLS 1.2 works on it at a time? Not both at same time can work?Yeah right there maybe something else going on but I'm not sure what that would be as if I add this “tls-version-max 1.0” to the phones OpenVPN VPN.CFG file all works with the phones new Firmware version. In a simple world it that would tell me that it is a TLS problem... Of course it is IT related so the root cause may not be simple.
Thanks for you replies and help! Rick
-
@khunit said in TLS 1.0 but need TLS 1.2 for OpenVPN with Yealink Phone:
tls-version-max 1.0
Is there a reason you need to upgrade the phone firmware? Does the phone firmware upgrade give you any additional features or fixes for other problems?
It looks like there's more time required to get to the bottom of the TLS compatibility issue...
If you really need to upgrade the phone firmware urgently, you could try setting "tls-version-max 1.0" on the VPN Server (instead of the phones).
Would that setting force the phones (with new firmware) into using TLS 1.0 ?
This could buy you some time .... -
@gcu_greyarea said in TLS 1.0 but need TLS 1.2 for OpenVPN with Yealink Phone:
tls-version-max 1.0
Just FYI... I tried custom option “tls-version-max 1.0” on my VPNServer (on pfSense) and the server actually honours that option.
I tested with the iOS OpenVPN APP which gave me a "Server Version too low" error. After changing the Minimum TLS Version in the IOS App to "TLS 1.0" I could successfully connect again.The question is whether the Yeahlink Phones (with new firmware) are capable to negotiate down to TLS 1.0 automatically.
Alternatively - if you have hundreds of Yeahlink Phones you may have enough leverage to ask Yeahlink for a custom patch. I.e. the same firmware which defaults to “tls-version-max 1.0”. However that doesn't really fix the compatibility issue.....
Might also make sense to have a look at the supported ciphers on the phone?