[asterisk-bugs] [JIRA] (ASTERISK-22820) [patch] Plaintext auth is still supported in IAX2

Eugene (JIRA) noreply at issues.asterisk.org
Mon Nov 4 01:46:02 CST 2013


    [ https://issues.asterisk.org/jira/browse/ASTERISK-22820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=211468#comment-211468 ] 

Eugene edited comment on ASTERISK-22820 at 11/4/13 1:44 AM:
------------------------------------------------------------

Well, to be honest, I'm just confused with these mailing lists and how to use them.

Now, when we have the patch, maybe it worth to get it throught reviewboard? Or it is still a good idea to discuss this on asterisk-dev?

Leaving this feature will, of course, leave some backwards compatibility with systems that are configured to use plaintext (what is not recommended and never was). It's not about backwards compatibility with older versions, as MD5 and RSA auth methods are in IAX2 protocol since the very first draft of specification.

Removing this feature will make asterisk more secure and will make IAX2 implementation RFC compliant.

And, of course, it's not the only solution to remove plaintext support. It is possible to do partial removal, like "accept incoming plaintext auth but never send plaintext password" or, minimalistic solution, just add log messages that plaintext auth for IAX2 is deprecated.
                
      was (Author: varnav):
    Well, to be honest, I'm just confused with these mailing lists and how to use them.

Now, when we have the patch, maybe it worth to get it throught reviewboard? Or it is still a good idea to discuss this on asterisk-dev?

Leaving this feature will, of course, leave some backwards compatibility with systems that are configured to use plaintext (what is not recommended and never was). It's not about backwards compatibility as MD5 and RSA auth methods are in IAX2 protocol since the very first draft of specification.

Removing this feature will make asterisk more secure and will make IAX2 implementation RFC compliant.

And, of course, it's not the only solution to remove plaintext support. It is possible to do partial removal, like "accept incoming plaintext auth but never send plaintext password" or, minimalistic solution, just add log messages that plaintext auth for IAX2 is deprecated.
                  
> [patch] Plaintext auth is still supported in IAX2
> -------------------------------------------------
>
>                 Key: ASTERISK-22820
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22820
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_iax2
>    Affects Versions: 11.6.0, 12.0.0-beta1
>            Reporter: Eugene
>            Severity: Minor
>         Attachments: iax2_remove_plaintext_auth_support.diff
>
>
> Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth is not supported in IAX2 protocol. Please refer to section 8.6.3 of RFC 5456.
> But plaintext auth is still supported by Asterisk implementation of IAX2. This support should be dropped.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list