[asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

Ashley Sanders reviewboard at asterisk.org
Thu Jan 29 14:36:55 CST 2015



> On Jan. 28, 2015, 6:21 a.m., Corey Farrell wrote:
> > If we assume that there are always unknown security vulnerabilities, I think it is worth completely removing "Server: Asterisk/<version>".  Another option would be trimming to major version only - Server: Asterisk/13.  Otherwise any system with default config that does not receive a security update will always inform hackers of that fact.
> > 
> > I'm not sure others will agree with this but feel that it needs to be considered.
> 
> Matt Jordan wrote:
>     I thought about this as well. As a rebuttal to changing this mid-stream, I'd note the following:
>     * Although it is somewhat unlikely, there is a chance that someone has built a system relying on this information. For example, if I had a pool of private Asterisk servers, I may be using cURL to check Asterisk's HTTP server to get the version that is deployed on each server. While this isn't highly likely, I've seen systems that do weirder things. I'd prefer to not break existing systems unless we feel there is no other option.
>     * We do the same thing in other areas. For example, the UserAgent header and the SDP session name in chan_sip include the version. Arguably, this exposes Asterisk more than the HTTP server - we are far more likely to have someone inspecting the SIP traffic than the HTTP server (which sits on a non-standard port).
>     
>     As it is, I'd be fine if we changed this in trunk, but I'd prefer the 11/13 implementations to keep the existing behaviour.
> 
> Corey Farrell wrote:
>     If we uncomment "servername=asterisk" in the sample config for trunk only I'd be happy.

I discussed this with Matt and Josh; both concur with your suggestion. When I integrate this change, I will make that modification to the config file prior to pushing it to the Asterisk trunk.


- Ashley


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4374/#review14339
-----------------------------------------------------------


On Jan. 28, 2015, 8:13 p.m., Ashley Sanders wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4374/
> -----------------------------------------------------------
> 
> (Updated Jan. 28, 2015, 8:13 p.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Bugs: ASTERISK-24316
>     https://issues.asterisk.org/jira/browse/ASTERISK-24316
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Currently, all responses from the Asterisk HTTP server contain a [Server] header that identifies Asterisk and its version (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). The preferred behavior is to allow the user to configure an alternate name to use for the value returned in the [Server] header for HTTP responses (e.g. "Server:SomeSuperAwesomeServerName").
> 
> This patch provides a new configuration property, [servername], in http.conf, that gives users the ability to modify the value that Asterisk uses when identifying itself. 
> 
> By default, the new property is unused, which means that out-of-the-box, the HTTP server behaves just like it did prior to the patch. Requests to the HTTP server will generate responses with the old-style [Server] header (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). To see the new behavior, you must add the configuration property, [servername] with some value (an empty value will work, also) to http.conf.
> 
> Whatever value the HTTP server is holding for the server name can now be seen through the httpstatus web page (http://<bindaddr>:<bindport>/<prefix>/httpstatus) (where [bindaddr], [bindport], and [prefix] are all values configured in http.conf) and the CLI command: http show status.
> 
> ***Note*** This is just the patch to the Asterisk source. You can find the review for the Testsuite at: https://reviewboard.asterisk.org/r/4377/
> 
> 
> Diffs
> -----
> 
>   ./branches/13/main/http.c 431112 
>   ./branches/13/include/asterisk/http.h 431112 
>   ./branches/13/configs/samples/http.conf.sample 431112 
> 
> Diff: https://reviewboard.asterisk.org/r/4374/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Ashley Sanders
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20150129/5c2500f5/attachment.html>


More information about the asterisk-dev mailing list