[Asterisk-Dev] Asterisk Manager encryption
Paul
digium-list at 9ux.com
Mon Dec 12 06:11:59 MST 2005
Tzafrir Cohen wrote:
>On Sun, Dec 11, 2005 at 11:12:45PM -0800, John Todd wrote:
>
>
>>[Hopefully I'm not duplicating effort, but I'm sure others have come
>>up with these ideas already. Apologies if this is a rehash of some
>>conversation already under way, but I haven't yet heard about it.
>>Searching through code did not reveal any hidden encryption tools in
>>manager.c, but I could just be overlooking them.]
>>
>>I have several Asterisk servers on the Wild Internet that I'd like to
>>be able to reach without "tunneling" the connections via SSH. I'd
>>love for the Flash Operator Panel, Asterisk Manager Proxy, and
>>anything else that talks to Asterisk's Manager API to be able to do
>>so without relying on ssh port forwarding to ensure a secure
>>connection.
>>
>>
>
>There is another simple method of tunneling that port on an encrypted
>connection without adding that complexity inside asterisk can be done
>using stunnel which generates an SSL/TLS tunnel for a specific TCP port.
>Has been used successfully as a cheap method of adding "SSL support" for
>many services.
>
>Note that a simple way to connect to that from the command-line would be
>using:
>
> openssl s_client -connect hostname:port
>
>Which should be your basic netcat for TSL-encrypted connections.
>
>No need to change clients much.
>
>
>
Relying on existing tools like openssh and stunnel means relying on
tools that are widely used and supported. That support includes security
updates released in a timely manner(unless your distro sucks). Those
updates get applied without having to compile a new asterisk. Add code
to asterisk and you increase the management overhead.
More information about the asterisk-dev
mailing list