[asterisk-dev] DTLS setting impacts encryption setting

Olle E. Johansson oej at edvina.net
Wed Jan 29 02:36:37 CST 2014


On 28 Jan 2014, at 22:53, Joshua Colp <jcolp at digium.com> wrote:

> On 14-01-28 04:25 PM, Daniel Pocock wrote:
>> 
>> This was on -users, but it appears all the DTLS discussion is on -dev so
>> I'm reposting it...
>> 
>> 
>> If I understand correctly, setting
>> 
>>   encryption=no
>> 
>> means that Asterisk will make outgoing calls without encryption, but
>> will be happy to accept incoming calls regardless of whether the caller
>> wants encryption or not (that is how it has been working for me anyway)
> 
> What you are referring to is optional encryption which should not be
> working. The code was originally written with only SDES in mind so it
> may be possible that the DTLS code isn't taking things into account
> correctly.
> 
> Personally I am against optional encryption. Best effort encryption just
> does not make sense to me.

A year ago I would agree with you. Not any more. Encrypt wherever 
possible. 

We just need to separate this from "secure media". If you really want
a confidential call, force encryption. If you really want a call with
an authenticated endpoint/user, force strong authentication.

For the rest of the calls, if we can encrypt media and/or signalling,
just do it. 

/O



More information about the asterisk-dev mailing list