[Asterisk-code-review] config transport: Tell pjproject to allow all SSL/TLS proto... (asterisk[13])
Mark Michelson
asteriskteam at digium.com
Mon May 9 16:54:55 CDT 2016
Mark Michelson has posted comments on this change.
Change subject: config_transport: Tell pjproject to allow all SSL/TLS protocols
......................................................................
Patch Set 2:
AST-2014-011 dealt with the POODLE vulnerability (https://en.wikipedia.org/wiki/POODLE) . If you read the security advisory the big problem was that Asterisk had the ability to fall back to sslv2 or sslv3, which was exploitable by a MITM. My reading of the security advisory was that if we could get away with it, we'd straight up disable the setting of sslv2 and sslv3, but since we didn't want to completely break people, we settled for printing a big warning message instead.
I tend to agree with Kevin that allowing for more insecure methods to be configured is not a good idea. And I'd also be worried that if all methods are in play, we had better make sure that a MITM could not allow us to fall back from a more secure protocol to a less secure protocol.
--
To view, visit https://gerrit.asterisk.org/2782
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: Icfb55c1ebe921298dedb4b1a1d3bdc3ca41dd078
Gerrit-PatchSet: 2
Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Mark Michelson <mmichelson at digium.com>
Gerrit-HasComments: No
More information about the asterisk-code-review
mailing list