[asterisk-dev] Plaintext auth support in IAX2

Eugene Varnavsky varnavruz at gmail.com
Wed Nov 6 07:27:19 CST 2013

> What about defaulting only to md5 and not falling back to plaintext? While
> that is a slightly more meaningful change, it prevents having to spam
> WARNING messages.

Surely it's better solution.
But I'm not sure it won't break compatibility. I will test that.

>  I would prefer not to have any messages displayed during run time
> operation, after the module is loaded. This would especially apply to
> messages that are received. The fact that some other system has chosen to
> send authentication in plaintext is presumably outside of the control of
> the receiving system. Creating a message that spams someone when they
> cannot control is bound to only cause frustration.

I understand. But, when feature is removed, connection with that other
plaintext system will not be possible. It's like warning about that.
But ok, no warnings during runtime.

> As Tilghman noted, we probably should wait longer than a single version to
> remove support for a deprecated feature. If I recall correctly, standard
> operating procedure is two versions from the time when a feature is
> deprecated, which put Asterisk 14 as the earliest time this feature can be
> removed.

Ok, no problems.


What do you guys think about changing default value of authreject to true?
This option increases security without any drawbacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20131106/a88b9a3f/attachment.html>

More information about the asterisk-dev mailing list