[Asterisk-Dev] Asterisk Manager encryption

Mon Dec 12 19:13:53 MST 2005

At 2:53 PM -0600 12/12/05, Kevin P. Fleming wrote:
>Steven Critchfield wrote:
>
>>With openssl being BSD style licensed, it shouldn't be a problem to link
>>to the versions distributed with the distro of choice. This also keeps
>>us out of the patch race as it will be updated by the distros.
>
>It's already being used, with an exception granted for Asterisk to 
>be able to link to it.
>
>>The concern I will toss out is, do we want to make openssl a
>>requirement, and how would we build without it otherwise. I'm assuming
>>the masochists of the group trying to run asterisk under windows would
>>not like it if they where excluded at this point.
>
>It's already a requirement for res_crypto.so, and can be skipped if 
>someone wants to do so. Presumably if we TLS-enabled the manager 
>interface, then TLS functionality would just be unavailable if 
>linking against OpenSSL was disabled at compile time.

I'm fine with TLS, actually - it's common, "embedded" as a library, 
and requires no user intervention to activate as Asterisk already 
quasi-requires it for config-free installation.  It needs to be 
activated inside Asterisk.  If it runs on a different port, that's 
fine - it just needs to be running by default, and there need to be 
NO actions by the administrator as far as a security policy or other 
userland applications that must be run to make it work (including 
creation of keys! if there are no keys present on install, Asterisk 
should MAKE them, just like with DUNDi.)

The problem with TLS is that it's easy to get totally swamped with 
the complexity of key management, cert validation, and then a 
generalized TLS model for all of Asterisk, which means... very... 
long... completion... interval because it's suddenly obvious that 
this GIANT code task needs to be done in order to do things the 
"right" way for one small use of the final project.  Perhaps this is 
an improper assumption, as there are portions of the TLS code done 
for SIP so this might not be so difficult.  More discussion 
necessary...

To some other comments on this thread:  I disagree with any 
requirement that implies that some other package be used "outside" of 
Asterisk to implement a tunnel.  If a library is compiled in that is 
"commonly found" on most *NIX distributions, that is great, but don't 
rely on some userland program or security model.  It should "just 
work".  If the system for some reason doesn't have OpenSSL, then it 
should moan and complain (or just fail to compile until the 
appropriate crypto lines are commented out in the config.)  I'm not 
opposed to using other libraries; I'm opposed to using systems that 
require administrator intervention to operate.  I'd like to be 
"aggressively secure" versus "aggressively insecure."  Kristian's 
arguments are valid, but I would suggest that stunnel not be the 
choice because it requires the admin to "do something" to make it 
work, from what I recall of it's use.

JT