[asterisk-users] SSL/TLS weakness impact on Asterisk authentication
Matthew Jordan
mjordan at digium.com
Tue Jun 10 17:19:40 CDT 2014
On Tue, Jun 10, 2014 at 4:44 PM, Michelle Dupuis <mdupuis at ocg.ca> wrote:
> After reading about the 2 major SSL (and TLS?) weaknesses discovered
> this year, I was wondering how it affects asterisk.
>
Asterisk uses OpenSSL for TLS. So, the answer is, it depends on the version
of OpenSSL that was installed for your Asterisk server.
See http://blogs.digium.com/2014/04/11/asterisk-heartbleed/ for more
information.
> Does the SIP authentication use TLS - or something that was recently
> broken? Is there a risk of exposing passwords?
>
SIP signalling - in both chan_sip and chan_pjsip - can use TLS as a
transport. If your OpenSSL version is one of those affected by the various
vulnerabilities, then yes, you are at risk.
This also applies to all other modules in Asterisk that use TLS, including
AMI, the HTTP server, and others.
Matt
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140610/563bbd33/attachment.html>
More information about the asterisk-users
mailing list