[Asterisk-Dev] Asterisk Manager encryption

Paul digium-list at 9ux.com
Mon Dec 12 06:11:59 MST 2005


Tzafrir Cohen wrote:

>On Sun, Dec 11, 2005 at 11:12:45PM -0800, John Todd wrote:
>  
>
>>[Hopefully I'm not duplicating effort, but I'm sure others have come 
>>up with these ideas already.  Apologies if this is a rehash of some 
>>conversation already under way, but I haven't yet heard about it. 
>>Searching through code did not reveal any hidden encryption tools in 
>>manager.c, but I could just be overlooking them.]
>>
>>I have several Asterisk servers on the Wild Internet that I'd like to 
>>be able to reach without "tunneling" the connections via SSH.  I'd 
>>love for the Flash Operator Panel, Asterisk Manager Proxy, and 
>>anything else that talks to Asterisk's Manager API to be able to do 
>>so without relying on ssh port forwarding to ensure a secure 
>>connection.
>>    
>>
>
>There is another simple method of tunneling that port on an encrypted
>connection without adding that complexity inside asterisk can be done
>using stunnel which generates an SSL/TLS tunnel for a specific TCP port.
>Has been used successfully as a cheap method of adding "SSL support" for
>many services.
>
>Note that a simple way to connect to that from the command-line would be
>using:
>
>  openssl s_client -connect hostname:port
>
>Which should be your basic netcat for TSL-encrypted connections.
>
>No need to change clients much.
>
>  
>
Relying on existing tools like openssh and stunnel means relying on
tools that are widely used and supported. That support includes security
updates released in a timely manner(unless your distro sucks). Those
updates get applied without having to compile a new asterisk. Add code
to asterisk and you increase the management overhead.




More information about the asterisk-dev mailing list