TLS connection to SIPS VOIP registration server not working on OPAL ABVY.6.2 router firmware

Diggery_Doo_21

I can't use TLS transport to connect to my SIP/VOIP telephony provider. UDP works fine.

They operate a modern SIP TLS server on port 5061 which only accepts the following modern TLSv3 ciphersuites

Using tls1_3
Testing TLS_AES_256_GCM_SHA384 ... YES
Testing TLS_CHACHA20_POLY1305_SHA256 ... YES
Testing TLS_AES_128_GCM_SHA256 ... YES

There is no web GUI in the OPAL DX3301-T0_5.50(ABVY.6.2)C0_2 firmware to expose the VOIP TLS ciphersuite, but if I export the router configuration, I see

"X_ZYXEL_Common":{
"VoipIOPFlags":0,
"DialPlan":"",
"VoipPort":0,
"Ivrsyspermit":false,
"IvrLanguage":0,
"Ivrcodec":0,
"SpecialFlag":0,
"CallFallBack":false,
"Activedialplan":false,
"DialMethod":"",
"CustomUserAgentNameEnable":false,
"CustomUserAgentName":"",
"P_AccessNetworkInfo":"",
"UserAgent_strReplaceRule":"",
"FxsCIDMode":"",
"FxsCIDSigProtocol":"",
"FxsCIDMsgFormat":"",
"FxsCIDEmptyCallerNameHandlePolicy":"",
"TLS_Port":5061,
"TLS_Certificate":"",
"TLS_CipherSuite":"TLS_RSA_WITH_AES_256_CBC_SHA", <----------WEAK, DEPRECATED, UNSUPPORTED
"TLS_CertVerifyMode":0
},

This ciphersuite is weak and deprecated

https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/

and my provider does NOT support it

Testing AES256-SHA ... NO (sslv3 alert handshake failure)

If I modify the config file to be

"TLS_CipherSuite":"TLS_AES_128_GCM_SHA256"

will this work and persist across reboots?

The release notes for the firmware say that OpenSSL 3.1.2 is being used, so that suite should be available?

I have tested that their server certificate uses non-deprecated signature hashes, and it does - SHA256 - so that isn't the reason that the TLS negotiation fails.