[asterisk-dev] SSL encryption for Asterisk Manager Interface

John Todd jtodd at loligo.com
Tue Mar 28 16:20:46 MST 2006


>>OK, so I've put forward the solution.  Someone other than me should 
>>test it.  I'd like to get this approved and in SVN TRUNK before the 
>>next freeze so it can be part of the distribution.  Please take a 
>>few moments away from Olle's gargantuan list of test cases and poke 
>>at this for a bit to see if you can find any flaws.  ;-)
>>
>
>Now, who's talking now? :-)
>
>This is going to the test branch real soon... Opened a branch for it 
>meanwhile.
>
>>http://bugs.digium.com/view.php?id=6812
>
>Go to the bug and start testing, we need input on this important 
>addition now. Especially the configuration
>options. Kevin and myself need it to support client certificates so 
>we can have secure auth.

Do we?  While I believe that client certs are a Good Thing, isn't the 
Challenge: method sufficient to prove connection identity?  I like 
client certs; don't get me wrong.  However, they have proven to be 
complex and almost never used in my experiences with designers.  The 
Challenge: method that the AMI uses seems to be fairly robust in 
exchanging a shared secret, which would be required for connection 
anyway.  Doubling up on the security does not seem to have a 
compelling amount of usefulness (note my wording doesn't say _no_ 
usefulness; I just can't think of why I'd need both.)  Perhaps we 
just need some options that disallow cleartext passwords under some 
define-able set of circumstances.  (unauth-passwords-ssl=yes, 
unauth-passwords-nossl=no)

>Please also remind Dave Troy about this, so we get SSL support in Astmanproxy.

He's already been poked with the Sharp Stick of Harassment.

JT

>There are client stubs in the branch for you to add to your client.
>
>/O
>_______________________________________________
>--Bandwidth and Colocation provided by Easynews.com --
>
>asterisk-dev mailing list
>To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev




More information about the asterisk-dev mailing list