On Thu, 2009-03-12 at 16:24 -0400, Kristian Kielhofner wrote: > You'd be surprised how many devices support them. Pretty much > everything I've seen that supports SIP TLS (which is itself a > surprising number of devices) supports various options for cert > verification. Of course this doesn't mean anything if the rest of > your devices (including Asterisk) don't support it. > > Interop, like everything else SIP related, is the challenging part. > Crypto is especially frustrating because it's hard(er) to debug SIP > messages when they are encrypted on the wire. :) >
there are FOSS alternatives that work with most of the TLS/SRTP implementations that are in phones, so obviously it can be done, but the first step is to get SIP RFC compliant and add in TCP support (its mandatory per the RFC) as that is a requirement for the way its usually done. There are even FOSS sip stacks like sofia-sip (LGPL http://opensource.nokia.com/projects/sofia-sip/index.html) that support TCP, and is a fairly well tested RFC compliant (RFC3261) SIP stack and one could make a chan_sip, however the way that chan_sip integrates to the asterisk core makes it difficult to have something really compliant since a UA is only allowed to bind to one ip/port pair and you have to in essence have multiple chan_sips running for each ip/port pair that you want to bind to. Would seem to me to be easier to use that than trying to in essence compete with Nokia on a SIP stack for the FOSS community, especially since that one exceeds the capabilities of the current one. All that would have to be done is write the glue code in chan_sip to use it and instantly the SIP capabilities of asterisk are improved and to a point some of the SIP maintenance work can be offloaded onto Nokia who has paid people maintaining their stack (although they are always open to accepting patches and bug reports, or historically have been). For SRTP you would have to add to the RTP stack since sofia is a sip stack not a RTP stack, but at least you could get the framework in place that makes that a more reasonable task by having the TLS parts which in my opinion should not be considered separate. For a working example, freeswitch.org does SRTP/TLS using sofia-sip and works with many phones on the market and happens to be FOSS (MPL). > > If you used certificate based auth, you couldn't even start the TLS > > negotiation. Brute-forcing certs is, AFAIK, really, really difficult, > > like billions of years. > > Unless you are the NSA... ;) > or you break into the server through other means and steal the cert :) This would just be a cog in the greater scheme of things and not the end of it. -- Trixter http://www.0xdecafbad.com Bret McDanel pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721
signature.asc
Description: This is a digitally signed message part
_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
