Michelle Dupuis
2014-Jun-10 21:44 UTC
[asterisk-users] SSL/TLS weakness impact on Asterisk authentication
After reading about the 2 major SSL (and TLS?) weaknesses discovered this year, I was wondering how it affects asterisk. Does the SIP authentication use TLS - or something that was recently broken? Is there a risk of exposing passwords? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140610/e523fe1c/attachment.html>
Matthew Jordan
2014-Jun-10 22:19 UTC
[asterisk-users] SSL/TLS weakness impact on Asterisk authentication
On Tue, Jun 10, 2014 at 4:44 PM, Michelle Dupuis <mdupuis at ocg.ca> wrote:> After reading about the 2 major SSL (and TLS?) weaknesses discovered > this year, I was wondering how it affects asterisk. >Asterisk uses OpenSSL for TLS. So, the answer is, it depends on the version of OpenSSL that was installed for your Asterisk server. See http://blogs.digium.com/2014/04/11/asterisk-heartbleed/ for more information.> Does the SIP authentication use TLS - or something that was recently > broken? Is there a risk of exposing passwords? >SIP signalling - in both chan_sip and chan_pjsip - can use TLS as a transport. If your OpenSSL version is one of those affected by the various vulnerabilities, then yes, you are at risk. This also applies to all other modules in Asterisk that use TLS, including AMI, the HTTP server, and others. Matt -- Matthew Jordan Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140610/563bbd33/attachment.html>
Patrick Laimbock
2014-Jun-11 00:01 UTC
[asterisk-users] SSL/TLS weakness impact on Asterisk authentication
On 10-06-14 23:44, Michelle Dupuis wrote:> After reading about the 2 major SSL (and TLS?) weaknesses discovered > this year, I was wondering how it affects asterisk. > > Does the SIP authentication use TLS - or something that was recently > broken? Is there a risk of exposing passwords?Asterisk' SIP authentication uses a digest. See http://tools.ietf.org/html/rfc3261 for more info (20.6 and onwards). That does not mean that the recent OpenSSL issues have no impact on Asterisk. They do if you configure SIP to use TLS transport or enable TLS for other parts (for example AMI). So it's highly recommended to install the updated OpenSSL packages containing the fixes. My Asterisk packages link dynamically against the OpenSSL libraries. Assuming your packages do the same then, once you have updated the OpenSSL packages to the latest ones with the fixes and restart Asterisk, you should be good to go. While the recent OpenSSL issues don't directly expose your account passwords, the Heartbleed bug can expose (parts of) the private key used by TLS. Once the Men in Black have your private key its possible to setup a Man (in Black) in the Middle attack and sniff those passwords. See http://heartbleed.com/ Unless you want to mess around with the Men in Black and leave your system vulnerable to attack, you should install all security updates ASAP and then restart the services that rely upon them. HtH, Patrick