VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
mdupuis at ocg.ca
Guest
|
 Posted: Tue Jun 10, 2014 4:45 pm Post subject: [asterisk-users] SSL/TLS weakness impact on Asterisk authent |
 |
|
After reading about the 2 major SSL (and TLS?) weaknesses discovered this year, I was wondering how it affects asterisk.
Does the SIP authentication use TLS - or something that was recently broken? Is there a risk of exposing passwords?
Thanks! |
|
| Back to top |
|
 |
mjordan at digium.com
Guest
|
| Posted: Tue Jun 10, 2014 5:19 pm Post subject: [asterisk-users] SSL/TLS weakness impact on Asterisk authent |
|
|
On Tue, Jun 10, 2014 at 4:44 PM, Michelle Dupuis <mdupuis@ocg.ca (mdupuis@ocg.ca)> wrote:
| Quote: |
After reading about the 2 major SSL (and TLS?) weaknesses discovered this year, I was wondering how it affects asterisk.
|
Asterisk uses OpenSSL for TLS. So, the answer is, it depends on the version of OpenSSL that was installed for your Asterisk server.
See http://blogs.digium.com/2014/04/11/asterisk-heartbleed/ for more information.
| Quote: |
Does the SIP authentication use TLS - or something that was recently broken? Is there a risk of exposing passwords?
|
SIP signalling - in both chan_sip and chan_pjsip - can use TLS as a transport. If your OpenSSL version is one of those affected by the various vulnerabilities, then yes, you are at risk.
This also applies to all other modules in Asterisk that use TLS, including AMI, the HTTP server, and others.
Matt
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org |
|
| Back to top |
|
|
patrick at laimbock.com
Guest
|
| Posted: Tue Jun 10, 2014 7:02 pm Post subject: [asterisk-users] SSL/TLS weakness impact on Asterisk authent |
|
|
On 10-06-14 23:44, Michelle Dupuis wrote:
| Quote: | After reading about the 2 major SSL (and TLS?) weaknesses discovered
this year, I was wondering how it affects asterisk.
Does the SIP authentication use TLS - or something that was recently
broken? Is there a risk of exposing passwords?
|
Asterisk' SIP authentication uses a digest. See
http://tools.ietf.org/html/rfc3261 for more info (20.6 and onwards).
That does not mean that the recent OpenSSL issues have no impact on
Asterisk. They do if you configure SIP to use TLS transport or enable
TLS for other parts (for example AMI). So it's highly recommended to
install the updated OpenSSL packages containing the fixes.
My Asterisk packages link dynamically against the OpenSSL libraries.
Assuming your packages do the same then, once you have updated the
OpenSSL packages to the latest ones with the fixes and restart Asterisk,
you should be good to go.
While the recent OpenSSL issues don't directly expose your account
passwords, the Heartbleed bug can expose (parts of) the private key used
by TLS. Once the Men in Black have your private key its possible to
setup a Man (in Black) in the Middle attack and sniff those passwords.
See http://heartbleed.com/
Unless you want to mess around with the Men in Black and leave your
system vulnerable to attack, you should install all security updates
ASAP and then restart the services that rely upon them.
HtH,
Patrick
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
