[asterisk-dev] Plaintext auth support in IAX2
varnavruz at gmail.com
Wed Nov 6 07:27:19 CST 2013
> What about defaulting only to md5 and not falling back to plaintext? While
> that is a slightly more meaningful change, it prevents having to spam
> WARNING messages.
Surely it's better solution.
But I'm not sure it won't break compatibility. I will test that.
> I would prefer not to have any messages displayed during run time
> operation, after the module is loaded. This would especially apply to
> messages that are received. The fact that some other system has chosen to
> send authentication in plaintext is presumably outside of the control of
> the receiving system. Creating a message that spams someone when they
> cannot control is bound to only cause frustration.
I understand. But, when feature is removed, connection with that other
plaintext system will not be possible. It's like warning about that.
But ok, no warnings during runtime.
> As Tilghman noted, we probably should wait longer than a single version to
> remove support for a deprecated feature. If I recall correctly, standard
> operating procedure is two versions from the time when a feature is
> deprecated, which put Asterisk 14 as the earliest time this feature can be
Ok, no problems.
What do you guys think about changing default value of authreject to true?
This option increases security without any drawbacks.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the asterisk-dev