<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 10, 2014 at 4:44 PM, Michelle Dupuis <span dir="ltr"><<a href="mailto:mdupuis@ocg.ca" target="_blank">mdupuis@ocg.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:Calibri,Arial,Helvetica,sans-serif">
<p>After reading about the 2 major SSL (and TLS?) weaknesses discovered this year, I was wondering how it affects asterisk.</p></div></div></blockquote><div></div><div>Asterisk uses OpenSSL for TLS. So, the answer is, it depends on the version of OpenSSL that was installed for your Asterisk server.<br>
<br>See <a href="http://blogs.digium.com/2014/04/11/asterisk-heartbleed/">http://blogs.digium.com/2014/04/11/asterisk-heartbleed/</a> for more information.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:Calibri,Arial,Helvetica,sans-serif"><p>
</p>
<p>Does the SIP authentication use TLS - or something that was recently broken? Is there a risk of exposing passwords?<br>
</p>
</div></div></blockquote><div>SIP signalling - in both chan_sip and chan_pjsip - can use TLS as a transport. If your OpenSSL version is one of those affected by the various vulnerabilities, then yes, you are at risk.<br>
<br>This also applies to all other modules in Asterisk that use TLS, including AMI, the HTTP server, and others.<br><br>Matt <br></div><div><br></div></div>-- <br><div dir="ltr"><div>Matthew Jordan<br></div><div>Digium, Inc. | Engineering Manager</div>
<div>445 Jan Davis Drive NW - Huntsville, AL 35806 - USA</div><div>Check us out at: <a href="http://digium.com" target="_blank">http://digium.com</a> & <a href="http://asterisk.org" target="_blank">http://asterisk.org</a></div>
</div>
</div></div>