Forgot to point out the obvious. My previous comment applies to kamailio's use of TLS, not the website where kamailio is hosted.
On Wed, Dec 9, 2015 at 5:46 PM, Peter Villeneuve <[email protected]> wrote: > Hi Daniel, > > I'm also using letsencrypt since their beta program. > The only issue I see is that the certs expire after 90 days, which means > you will have to manually change them before those 90 days are up. > They have an automated process to get new certs and insert them in the > correct virtual hosts in apache, but I doubt they have any kamailio > automation setup yet. > > Besides that, which is no big deal, just takes more time until someone > writes a script to automate the kamailio process of requesting new certs > and replacing the expired ones, I'm a big fan of Letsencrypt and I > recommend it to anyone that takes security seriously and doesn't want to > participate in enriching the CA "mafia". > > Cheers, > Peter > > On Tue, Dec 8, 2015 at 8:06 AM, Daniel-Constantin Mierla < > [email protected]> wrote: > >> Hello, >> >> during the past few days I made some updates related to the security >> aspects of kamailio.org services. >> >> Two are relevant for the community. >> >> 1) First, kamailio.org uses now a TLS certificate signed by >> letsencrypt.org, a free trusted CA backed up by Mozilla and other >> internet companies, so browsing via HTTPS should no longer issue any >> warning of untrusted certificate (previously we used a CACert.org >> certificate which was not trusted automatically by browsers). >> >> Wiki and mailing lists portals use the letsencrypt certificate as well, >> so is no reason not to browse all kamailio.org and lists.sip-router.org >> pages only via HTTPS. Perhaps in the near future we will try to enable >> redirect of HTTP to HTTPS at least for the main page and login pages for >> wiki, mailing lists and other places that require sensitive data. >> >> Now SSLLabs test ranks https://kamailio.org with grade A: >> >> * https://www.ssllabs.com/ssltest/analyze.html?d=kamailio.org&latest >> >> As a side note, for those that haven't noticed it, for quite some time >> kamailio.org is available also over IPv6. >> >> 2) Second, emails forwarded by kamailio.org and lists.sip-router.org are >> having now a DKIM signature. Also, there are SPF records in DNS for >> these domains. Hopefully, those two will help getting the emails to be >> allowed by various spam filters out there, as their legit origin can be >> checked. >> >> If you check the sources of an email messages and the email server of >> receiving party is doing DKIM/SPF checks, you should see some headers >> like next (taken from an email I received to my gmail account from >> sr-users mailing list): >> >> """ >> Authentication-Results: mx.google.com; >> spf=pass (google.com: domain of >> [email protected] designates 193.22.119.66 as >> permitted sender) [email protected]; >> dkim=pass [email protected] >> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d= >> lists.sip-router.org; s=20151206; >> >> h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Reply-To:Subject:MIME-Version:Message-ID:To:From:Date; >> bh=lGjvCZYcxBHUHaJDnut1j2YTyPsXTnXHzUb0CgcDc1Q=; >> >> b=DlD+MKoEqyISB5Ba775t3zg70FC6ouC+tEo7j5zv4dn2Dhm4pWqkQXSfU4Kp1NqW1ZRYFC/mpg/7LEcGW2FlDL9J0FpUg1VjNmN7D1wvtW08hBBw91tsXImu9yf7KZjg/p4IbXu6vznldubrSxweIaV3q/xbrLgaqP5Dsrvs/9A=; >> """ >> >> Kamailio is not enforcing any of those policies on received email >> messages, so sending to the lists should not be affected. >> >> Should anyone discover problems when browsing the web portals or notices >> issues with emails from our mailing lists, report them to sr-dev mailing >> list. >> >> Also, if anyone has more hints on increasing the security/privacy for >> the web server and email systems we run for kamailio.org, do not >> hesitate to provide us suggestions. >> >> Cheers, >> Daniel >> >> -- >> Daniel-Constantin Mierla >> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda >> Book: SIP Routing With Kamailio - http://www.asipto.com >> http://miconda.eu >> >> >> _______________________________________________ >> sr-dev mailing list >> [email protected] >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev >> > >
_______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
