<div dir="ltr"><div>Hello!<br><br></div><div>I have opened a bug report (ASTERISK-22820) and submitted a patch, but, as Michael L. Young suggested there, it worth to discuss the issue in this mailing list first.<br><p>Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth
is taken out from specifications of IAX2 protocol. Please refer to section 8.6.3 of RFC
5456. Reasons are obvious - it is very, very unsafe to send plaintext passwords over the net.<br></p>
But plaintext auth is still supported by Asterisk implementation of IAX2.<br><br></div><div>I propose number of solutions, from more to less radical. Choose one:<br><br></div><div>1. Remove plaintext auth support completely (patch does this)<br>
</div><div>2. Accept, but never send plaintext passwords<br></div><div>3. Accept and send plaintext passwords, but never use plaintext auth by default (current defaults are MD5 first, plaintext second)<br></div><div>4. Declare plaintext auth deprecated, add warnings to logs and documentation<br>
</div><div><br></div><div>I will make a patch for any of these variants, based on what community decides.<br></div></div>