On 10-06-14 23:44, Michelle Dupuis wrote:
After reading about the 2 major SSL (and TLS?) weaknesses discovered
this year, I was wondering how it affects asterisk.
Does the SIP authentication use TLS - or something that was recently
broken? Is there a risk of exposing passwords?
Asterisk' SIP authentication uses a digest. See
http://tools.ietf.org/html/rfc3261 for more info (20.6 and onwards).
That does not mean that the recent OpenSSL issues have no impact on
Asterisk. They do if you configure SIP to use TLS transport or enable
TLS for other parts (for example AMI). So it's highly recommended to
install the updated OpenSSL packages containing the fixes.
My Asterisk packages link dynamically against the OpenSSL libraries.
Assuming your packages do the same then, once you have updated the
OpenSSL packages to the latest ones with the fixes and restart Asterisk,
you should be good to go.
While the recent OpenSSL issues don't directly expose your account
passwords, the Heartbleed bug can expose (parts of) the private key used
by TLS. Once the Men in Black have your private key its possible to
setup a Man (in Black) in the Middle attack and sniff those passwords.
See http://heartbleed.com/
Unless you want to mess around with the Men in Black and leave your
system vulnerable to attack, you should install all security updates
ASAP and then restart the services that rely upon them.
HtH,
Patrick
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
