[Asterisk-Dev] Asterisk Manager encryption

Steven Critchfield critch at basesys.com
Mon Dec 12 13:49:33 MST 2005


On Mon, 2005-12-12 at 14:11 -0600, Kristian Kielhofner wrote:
> 	This is true.  You and Kevin have a very valid point.  However, is it 
> more "secure" and PR friendly to not implement crypto at all (or at 
> least minimally)?  That is, not to try at all?  I think it would be 
> uglier for someone to point out the lack of crypto altogether (which is 
> starting to happen with VoIP in general).

> 	Asterisk already includes it's own AES implementation for IAX2 
> encryption, and still requires OpenSSL for IAX2 keys (AFAIK).  Why not 
> throw some SSL/TLS enabled goodness in for the manager? :)  I know it's 
> not that easy, but hopefully you get the idea!

There are 2 distinct kinds of connections to asterisk. 1 being packet
loss tolerant and the other not. On the non packet loss tolerant links
such as manager, I could see openssl being used directly and a
configuration option for allowing or not allowing either connection
method to work.

With openssl being BSD style licensed, it shouldn't be a problem to link
to the versions distributed with the distro of choice. This also keeps
us out of the patch race as it will be updated by the distros. 

The concern I will toss out is, do we want to make openssl a
requirement, and how would we build without it otherwise. I'm assuming
the masochists of the group trying to run asterisk under windows would
not like it if they where excluded at this point.


-- 
Steven Critchfield <critch at basesys.com>




More information about the asterisk-dev mailing list