[asterisk-dev] DTLS setting impacts encryption setting
Olle E. Johansson
oej at edvina.net
Wed Jan 29 02:36:37 CST 2014
On 28 Jan 2014, at 22:53, Joshua Colp <jcolp at digium.com> wrote:
> On 14-01-28 04:25 PM, Daniel Pocock wrote:
>>
>> This was on -users, but it appears all the DTLS discussion is on -dev so
>> I'm reposting it...
>>
>>
>> If I understand correctly, setting
>>
>> encryption=no
>>
>> means that Asterisk will make outgoing calls without encryption, but
>> will be happy to accept incoming calls regardless of whether the caller
>> wants encryption or not (that is how it has been working for me anyway)
>
> What you are referring to is optional encryption which should not be
> working. The code was originally written with only SDES in mind so it
> may be possible that the DTLS code isn't taking things into account
> correctly.
>
> Personally I am against optional encryption. Best effort encryption just
> does not make sense to me.
A year ago I would agree with you. Not any more. Encrypt wherever
possible.
We just need to separate this from "secure media". If you really want
a confidential call, force encryption. If you really want a call with
an authenticated endpoint/user, force strong authentication.
For the rest of the calls, if we can encrypt media and/or signalling,
just do it.
/O
More information about the asterisk-dev
mailing list