[Asterisk-Dev] Asterisk Manager encryption
Mikael Magnusson
mikaelmagnusson at glocalnet.net
Tue Dec 13 04:00:26 MST 2005
On Tue, Dec 13, 2005 at 05:13:00AM +0200, Tzafrir Cohen wrote:
> On Mon, Dec 12, 2005 at 08:33:24PM -0600, Kevin P. Fleming wrote:
> > John Todd wrote:
> >
> > >I'm fine with TLS, actually - it's common, "embedded" as a library, and
> > >requires no user intervention to activate as Asterisk already
> > >quasi-requires it for config-free installation. It needs to be
> > >activated inside Asterisk. If it runs on a different port, that's fine
> > >- it just needs to be running by default, and there need to be NO
> > >actions by the administrator as far as a security policy or other
> > >userland applications that must be run to make it work (including
> > >creation of keys! if there are no keys present on install, Asterisk
> > >should MAKE them, just like with DUNDi.)
> >
> > TLS requires a server certificate. This must also be trusted by the
> > clients, so it either needs to be created by a trusted CA or the
> > self-signed certificate needs to be copied to the clients so they can
> > put it into their trust list.
> >
> > It would be possible for 'make install' to create the certificate if
> > desired, although it would need to prompt for the relevant server name
> > to be able to do that.
>
> Which means: an interactive process. :-(
>
> > Asterisk does _not_ automatically create keys for
> > DUNDi, it's a manual process.
>
> There's nothing inherently insecure in generating a certificate at
> install-time. This is actually exactly what ssh does.
>
> However the atvantage of openssl: being totally below the application
> layer, is also a major annoyance. The server can only be identified by
> its name or IP address. You cannot use the same certificate for several
> IP addresses.
>
Can't a certificate contain a subjectAltName with multiple iPAddresses
(or dNSNames)?
/Mikael
More information about the asterisk-dev
mailing list