[asterisk-bugs] [JIRA] (ASTERISK-22820) [patch] Plaintext auth is still supported in IAX2

Eugene (JIRA) noreply at issues.asterisk.org
Tue Nov 5 05:50:04 CST 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=211515#comment-211515 ] 

Eugene edited comment on ASTERISK-22820 at 11/5/13 5:49 AM:
------------------------------------------------------------

Patch for Asterisk 12 based on discussion in asterisk-dev.

Emit a warning if auth methoid (or one of auth methods) is set to plaintext.

Additionally, warning is emitted every time plaintext auth is sent or accepted. Why? The tricky thing with deprecation is what auth methods we set as default. As far as I can see inside sources, if auth= parameter is omitted, auth methods are set to "md5 first, then plaintext".

Another thing is that if we have auth=md5, but remote side has auth=plaintext, and we call them, plaintext will be used. We will see warning too.

Issue with this patch is that if type=friend, get_auth_method() is called twice, so warning is displayed twice on chan_iax2 load.

Patch adds note to UPGRADE.txt too.

Tested by me.
                
      was (Author: varnav):
    Patch for Asterisk 12 based on discussion in asterisk-dev.

Emit a warning if auth methoid (or one of auth methods) is set to plaintext.

Additionally, warning is emitted every time plaintext auth is sent or accepted. Why? The tricky thing with deprecation is what auth methods we set as default. As far as I can see inside sources, if auth= parameter is omitted, auth methods are set to "md5 first, then plaintext".

Another thing is that if we have auth=md5, but remote side has auth=plaintext, and we call them, plaintext will be used. We will see warning too.

Issue with this patch is that if type=friend, get_auth_method() is called twice, so warning is displayed twice on chan_iax2 load.

Patch adds note to UPGRADE.txt too.
                  
> [patch] Plaintext auth is still supported in IAX2
> -------------------------------------------------
>
>                 Key: ASTERISK-22820
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22820
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_iax2
>    Affects Versions: 11.6.0, 12.0.0-beta1
>            Reporter: Eugene
>            Severity: Minor
>         Attachments: asterisk-12-chan_iax2-plaintext-auth-deprecated.diff, iax2_remove_plaintext_auth_support.diff
>
>
> Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth is not supported in IAX2 protocol. Please refer to section 8.6.3 of RFC 5456.
> But plaintext auth is still supported by Asterisk implementation of IAX2. This support should be dropped.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list