[asterisk-dev] DTLS setting impacts encryption setting
Daniel Pocock
daniel at pocock.com.au
Wed Jan 29 06:58:42 CST 2014
On 29/01/14 09:36, Olle E. Johansson wrote:
> On 28 Jan 2014, at 22:53, Joshua Colp <jcolp at digium.com> wrote:
>
>> On 14-01-28 04:25 PM, Daniel Pocock wrote:
>>> This was on -users, but it appears all the DTLS discussion is on -dev so
>>> I'm reposting it...
>>>
>>>
>>> If I understand correctly, setting
>>>
>>> encryption=no
>>>
>>> means that Asterisk will make outgoing calls without encryption, but
>>> will be happy to accept incoming calls regardless of whether the caller
>>> wants encryption or not (that is how it has been working for me anyway)
>> What you are referring to is optional encryption which should not be
>> working. The code was originally written with only SDES in mind so it
>> may be possible that the DTLS code isn't taking things into account
>> correctly.
>>
>> Personally I am against optional encryption. Best effort encryption just
>> does not make sense to me.
> A year ago I would agree with you. Not any more. Encrypt wherever
> possible.
>
> We just need to separate this from "secure media". If you really want
> a confidential call, force encryption. If you really want a call with
> an authenticated endpoint/user, force strong authentication.
>
> For the rest of the calls, if we can encrypt media and/or signalling,
> just do it.
There are a lot of valid issues to discuss about this
However, the core thing for me is that the "encryption=no" setting
behaves in a certain way, and DTLS causes that to change.
For consistency, I think that in the current major version (Asterisk
11.x) encryption=no should continue to mean optional encryption, based
on the expectations of the peer
If somebody wants to change that more dramatically (e.g. because they
disapprove of opportunistic encryption or want to implement some other
criteria) then that would probably be better to change in Asterisk 12.x
While it may not be recommended as a normal configuration, I think there
are valid use cases, like my test numbers or relaying ZRTP media streams
More information about the asterisk-dev
mailing list