[asterisk-users] SSL/TLS weakness impact on Asterisk authentication

Patrick Laimbock patrick at laimbock.com
Tue Jun 10 19:01:15 CDT 2014

On 10-06-14 23:44, Michelle Dupuis wrote:
> After reading about the  2 major SSL (and TLS?) weaknesses discovered
> this year, I was wondering how it affects asterisk.
> Does the SIP authentication use TLS - or something that was recently
> broken?  Is there a risk of exposing passwords?

Asterisk' SIP authentication uses a digest. See 
http://tools.ietf.org/html/rfc3261 for more info (20.6 and onwards).

That does not mean that the recent OpenSSL issues have no impact on 
Asterisk. They do if you configure SIP to use TLS transport or enable 
TLS for other parts (for example AMI). So it's highly recommended to 
install the updated OpenSSL packages containing the fixes.

My Asterisk packages link dynamically against the OpenSSL libraries. 
Assuming your packages do the same then, once you have updated the 
OpenSSL packages to the latest ones with the fixes and restart Asterisk, 
you should be good to go.

While the recent OpenSSL issues don't directly expose your account 
passwords, the Heartbleed bug can expose (parts of) the private key used 
by TLS. Once the Men in Black have your private key its possible to 
setup a Man (in Black) in the Middle attack and sniff those passwords. 
See http://heartbleed.com/

Unless you want to mess around with the Men in Black and leave your 
system vulnerable to attack, you should install all security updates 
ASAP and then restart the services that rely upon them.


More information about the asterisk-users mailing list