[asterisk-users] SSL/TLS weakness impact on Asterisk authentication
Patrick Laimbock
patrick at laimbock.com
Tue Jun 10 19:01:15 CDT 2014
On 10-06-14 23:44, Michelle Dupuis wrote:
> After reading about the 2 major SSL (and TLS?) weaknesses discovered
> this year, I was wondering how it affects asterisk.
>
> Does the SIP authentication use TLS - or something that was recently
> broken? Is there a risk of exposing passwords?
Asterisk' SIP authentication uses a digest. See
http://tools.ietf.org/html/rfc3261 for more info (20.6 and onwards).
That does not mean that the recent OpenSSL issues have no impact on
Asterisk. They do if you configure SIP to use TLS transport or enable
TLS for other parts (for example AMI). So it's highly recommended to
install the updated OpenSSL packages containing the fixes.
My Asterisk packages link dynamically against the OpenSSL libraries.
Assuming your packages do the same then, once you have updated the
OpenSSL packages to the latest ones with the fixes and restart Asterisk,
you should be good to go.
While the recent OpenSSL issues don't directly expose your account
passwords, the Heartbleed bug can expose (parts of) the private key used
by TLS. Once the Men in Black have your private key its possible to
setup a Man (in Black) in the Middle attack and sniff those passwords.
See http://heartbleed.com/
Unless you want to mess around with the Men in Black and leave your
system vulnerable to attack, you should install all security updates
ASAP and then restart the services that rely upon them.
HtH,
Patrick
More information about the asterisk-users
mailing list