[Asterisk-Dev] Asterisk Manager encryption

Mikael Magnusson mikaelmagnusson at glocalnet.net
Tue Dec 13 04:00:26 MST 2005


On Tue, Dec 13, 2005 at 05:13:00AM +0200, Tzafrir Cohen wrote:
> On Mon, Dec 12, 2005 at 08:33:24PM -0600, Kevin P. Fleming wrote:
> > John Todd wrote:
> > 
> > >I'm fine with TLS, actually - it's common, "embedded" as a library, and 
> > >requires no user intervention to activate as Asterisk already 
> > >quasi-requires it for config-free installation.  It needs to be 
> > >activated inside Asterisk.  If it runs on a different port, that's fine 
> > >- it just needs to be running by default, and there need to be NO 
> > >actions by the administrator as far as a security policy or other 
> > >userland applications that must be run to make it work (including 
> > >creation of keys! if there are no keys present on install, Asterisk 
> > >should MAKE them, just like with DUNDi.)
> > 
> > TLS requires a server certificate. This must also be trusted by the 
> > clients, so it either needs to be created by a trusted CA or the 
> > self-signed certificate needs to be copied to the clients so they can 
> > put it into their trust list.
> > 
> > It would be possible for 'make install' to create the certificate if 
> > desired, although it would need to prompt for the relevant server name 
> > to be able to do that. 
> 
> Which means: an interactive process. :-(
> 
> > Asterisk does _not_ automatically create keys for 
> > DUNDi, it's a manual process.
> 
> There's nothing inherently insecure in generating a certificate at
> install-time. This is actually exactly what ssh does.
> 
> However the atvantage of openssl: being totally below the application
> layer, is also a major annoyance. The server can only be identified by
> its name or IP address. You cannot use the same certificate for several
> IP addresses.
> 

Can't a certificate contain a subjectAltName with multiple iPAddresses
(or dNSNames)?

/Mikael




More information about the asterisk-dev mailing list