Re: [asterisk-users] WSS over Asterisk
Hi I tested yesterday the SIPML5 fix and I can confirm it works as expected with Asterisk 12 SVN-trunk-r415192 using chan_sip and no DTLS enabled. Tested with Chrome 35.0.1916.153m. The patch is targeted to Chrome. Firefox still be unable to handle calls in my setup. In my tests I've found some asterisk exceptions when SIMPL5 is used from Chrome with the provided patch AND DTLS is configured for the peer in sip.conf AND certificates are installed in Chrome. I suppose this is something work in progress so I'm not worried about it. I can also confirm the problem with wss where the SIPML5 seems not able to connect to the asterisk box. Thank you and best regards, Marco Signorini. On 06/12/2014 03:21 AM, Steve Ng wrote: I am using Asterisk v12.3. As far as DTLS, I understand that applying the following Javascript will temporarily fix for SIPML5 to Asterisk: https://gist.github.com/steve-ng/14b9b88af43f92db1e46 WS works for me, its just wss which I'm stuck currently. On Thu, Jun 12, 2014 at 4:37 AM, Miguel Molina mfmolina-lis...@millenium.com.co mailto:mfmolina-lis...@millenium.com.co wrote: El 11/06/2014 1:52 p. m., Matthew Jordan escribió: On Wed, Jun 11, 2014 at 1:32 PM, William Hetherington w...@willwh.com mailto:w...@willwh.com wrote: Chrome 35 broke all of this you need to be using DTLS now I believe. I had working secure web sockets with asterisk 12.2.x and chrome 34 and then google broke eveything :) I have not yet got around to test out DTLS etc. with chrome 35 Just so I don't waste too much time when I go to test, does anyone know if all that's required for DTLS on the asterisk side is the following in sip.conf? dtlsenable=yes dtlsverify=yes dtlsrekey=60 dtlscafile=/usr/local/share/ca-certificates/myCA.crt dtlscertfile=/etc/ssl/mycert.com.pem dtlssetup=actpass I assume I also need TLS configs in http.conf Signalling is independent of the media; DTLS only affects the media. However, there are known issues with Chrome's negotiation of DTLS and Asterisk - see https://issues.asterisk.org/jira/browse/ASTERISK-22961 -- Matthew Jordan Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com http://asterisk.org It is broken in Chrome (firefox never had SDES) because the WebRTC standard favoured the DTLS SRTP implementation instead of the SDES one. The thing is that although Asterisk supports DTLS implementation, it only supports SHA-1 hashing but both Firefox and Chrome work with SHA-256. The patch proposed in ASTERISK-22961 is an effort to solve this issue. Best regards -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] issue installing voicemail imap support: imap_tk module missing
I'm using * ubuntu 14.04 LTS * asterisk 11.10 (from source) * imap-2007f (from source) Bart On Wed, Jun 11, 2014 at 6:36 PM, Tzafrir Cohen tzafrir.co...@xorcom.com wrote: On Tue, Jun 03, 2014 at 10:26:26PM +0200, Bart Remmerie wrote: Does anybody know where imap_tk is supposed to be / where it comes from ? Is it a part of asterisk / imap / linux / ... I can't seem to find any references other than related to asterisk, but in asterisk I only can find it as a (unfortunately missing) dependency for imap support for voicemail... What distribution is it? -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Bart Remmerie +32 (0477) 78.88.76 # remme...@gmail.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] issue installing voicemail imap support: imap_tk module missing
On Thu, Jun 12, 2014 at 10:45:37AM +0200, Bart Remmerie wrote: I'm using * ubuntu 14.04 LTS * asterisk 11.10 (from source) * imap-2007f (from source) Any reason you don't install uw-imap from ubuntu? libc-client2007e-dev or libc-client-dev . -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] WSS over Asterisk
I'm having the error as shown below Connecting to 'wss://54.xxx.xxx.xxx:8080/ws' SIPml-api.js?svn=224:1 ==stack event = starting SIPml-api.js?svn=224:1 __tsip_transport_ws_onerror SIPml-api.js?svn=224:1 __tsip_transport_ws_onclose SIPml-api.js?svn=224:1 ==stack event = failed_to_start Where if I'm connecting through ws://54.xxx.xxx.:8080/ws, it works fine. Any idea why? Sorry for the delay in answering: I meant to reply and forgot. ws:// uses HTTP and wss:// uses HTTPS so there's no way they can work via the same socket. You have to set up a separate HTTPS socket for wss. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Asterisk 1.8.15-cert6, 1.8.28.1, 11.6-cert3, 11.10.1, 12.3.1 Now Available (Security Release)
The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of these versions resolves the following issue: * AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP Connections Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked. Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the following issue: * AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized Shell Access Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process. Additionally, the release of 12.3.1 resolves the following issues: * AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's âsub_min_expiryâ is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised. * AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server. These issues and their resolutions are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1 http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1 The security advisories are available at: * http://downloads.asterisk.org/pub/security/AST-2014-005.pdf * http://downloads.asterisk.org/pub/security/AST-2014-006.pdf * http://downloads.asterisk.org/pub/security/AST-2014-007.pdf * http://downloads.asterisk.org/pub/security/AST-2014-008.pdf Thank you for your continued support of Asterisk! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework
Asterisk Project Security Advisory - AST-2014-005 ProductAsterisk SummaryRemote Crash in PJSIP Channel Driver's Publish/Subscribe Framework Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On March 17, 2014 Reported By John Bigelow jbigelow AT digium DOT com Posted On June 12, 2014 Last Updated OnJune 12, 2014 Advisory Contact Kevin Harwell kharwell AT digium DOT com CVE Name CVE-2014-4045 Description A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's sub_min_expiry is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised. Resolution Upgrade to a version with the patch integrated, apply the patch, or make sure the sub_min_expiry endpoint configuration option is greater than zero. Affected Versions Product Release Series Asterisk Open Source 12.x All Corrected In Product Release Asterisk Open Source 12.x 12.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23489 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-005.pdf and http://downloads.digium.com/pub/security/AST-2014-005.html Revision History Date Editor Revisions Made April 14, 2014 Kevin Harwell Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-005 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-006: Asterisk Manager User Unauthorized Shell Access
Asterisk Project Security Advisory - AST-2014-006 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On April 9, 2014 Reported By Corey Farrell Posted OnJune 12, 2014 Last Updated On June 12, 2014 Advisory ContactJonathan Rose jrose AT digium DOT com CVE NameCVE-2014-4046 Description Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process. Resolution Upgrade to a version with the patch integrated, apply the patch, or do not allow users who should not have permission to run shell commands to use AMI. Affected Versions Product Release Series Asterisk Open Source 11.x All Asterisk Open Source 12.x All Certified Asterisk 11.6 All Corrected In Product Release Asterisk Open Source 11.10.1, 12.3.1 Certified Asterisk 11.6-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-006-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-006-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23609 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-006.pdf and http://downloads.digium.com/pub/security/AST-2014-006.html Revision History Date Editor Revisions Made April 23, 2014 Jonathan Rose Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-006 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions
Asterisk Project Security Advisory - AST-2014-008 ProductAsterisk SummaryDenial of Service in PJSIP Channel Driver Subscriptions Nature of Advisory Denial of Service SusceptibilityRemote authenticated sessions Severity Moderate Exploits KnownNo Reported On 28 May, 2014 Reported By Mark Michelson Posted On June 12, 2014 Last Updated OnJune 12, 2014 Advisory Contact Mark Michelson mmichelson AT digium DOT com CVE Name CVE-2014-4048 Description When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server. Resolution The socket-servicing thread is now no longer capable of dispatching synchronous tasks to other threads since that may result in deadlocks. Affected Versions Product Release Series Asterisk Open Source 12.x All versions Corrected In Product Release Asterisk Open Source12.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-008-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23802 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-008.pdf and http://downloads.digium.com/pub/security/AST-2014-008.html Revision History Date Editor Revisions Made June 6, 2014 Mark MichelsonDocument Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-008 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections
Asterisk Project Security Advisory - AST-2014-007 Product Asterisk Summary Exhaustion of Allowed Concurrent HTTP Connections Nature of Advisory Denial Of Service Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On May 25, 2014 Reported By Richard Mudgett Posted OnMay 9, 2014 Last Updated On June 12, 2014 Advisory ContactRichard Mudgett rmudgett AT digium DOT com CVE NameCVE-2014-4047 Description Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked. Resolution The patched versions now have a session_inactivity timeout option in http.conf that defaults to 3 ms. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support. Affected Versions Product Release Series Asterisk Open Source1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk 11.6 All versions Corrected In Product Release Asterisk Open Source 1.8.28.1, 11.10.1, 12.3.1 Certified Asterisk1.8.15-cert6, 11.6-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23673 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-007.pdf and http://downloads.digium.com/pub/security/AST-2014-007.html Revision History Date Editor Revisions Made May 9, 2014Richard Mudgett Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-007 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. --
[asterisk-users] dahdi-linux 2.6.2 failing to compile with linux 3.13
Hello, I'm getting the following errors when compiling dahdi-linux 2.6.2 under Ubuntu 14.04 with kernel 3.13.0-24-generic. I did google and found one thread suggesting the errors should be fixed in 2.6.2, and another suggesting to try 2.4 which didn't make sense but I tried anyway, and it gave similar warnings. Would anyone know how to make it compile? Thanks in advance. make[1]: Leaving directory `/usr/src/dahdi-linux-2.6.2/drivers/dahdi/firmware' make -C /lib/modules/3.13.0-24-generic/build SUBDIRS=/usr/src/dahdi-linux-2.6.2/drivers/dahdi DAHDI_INCLUDE=/usr/src/dahdi-linux-2.6.2/include DAHDI_MODULES_EXTRA= HOTPLUG_FIRMWARE=yes modules DAHDI_BUILD_ALL=m make[1]: Entering directory `/usr/src/linux-headers-3.13.0-24-generic' CC [M] /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.o /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c:91:2: warning: #warning No CONFIG_BKL is an experimental configuration. [-Wcpp] #warning No CONFIG_BKL is an experimental configuration. ^ /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c: In function ‘dahdi_proc_open’: /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c:902:2: error: implicit declaration of function ‘PDE’ [-Werror=implicit-function-declaration] return single_open(file, dahdi_seq_show, PDE(inode)-data); ^ /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c:902:53: error: invalid type argument of ‘-’ (have ‘int’) return single_open(file, dahdi_seq_show, PDE(inode)-data); ^ /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c: In function ‘_dahdi_assign_span’: /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c:6945:3: error: implicit declaration of function ‘create_proc_entry’ [-Werror=implicit-function-declaration] span-proc_entry = create_proc_entry(tempfile, 0444, ^ /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c:6945:20: warning: assignment makes pointer from integer without a cast [enabled by default] span-proc_entry = create_proc_entry(tempfile, 0444, ^ /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c:6952:19: error: dereferencing pointer to incomplete type span-proc_entry-data = (void *)(long)span-spanno; ^ /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c:6953:19: error: dereferencing pointer to incomplete type span-proc_entry-proc_fops = dahdi_proc_ops; ^ /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c: In function ‘_dahdi_unassign_span’: /usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.c:7137:37: error: dereferencing pointer to incomplete type remove_proc_entry(span-proc_entry-name, root_proc_entry); ^ cc1: some warnings being treated as errors make[2]: *** [/usr/src/dahdi-linux-2.6.2/drivers/dahdi/dahdi-base.o] Error 1 make[1]: *** [_module_/usr/src/dahdi-linux-2.6.2/drivers/dahdi] Error 2 make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-24-generic' make: *** [modules] Error 2 make: Leaving directory `/usr/src/dahdi-linux-2.6.2' 'make -C dahdi-linux-2.6.2 install' failed with 512. -- David Cunningham, Voisonics http://voisonics.com/ USA: +1 213 221 1092 UK: +44 (0) 20 3298 1642 Australia: +61 (0) 2 8063 9019 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
