Bug#684649: various TLS faults/limitations in Asterisk
Daniel Pocock
daniel at pocock.com.au
Sun Aug 12 12:56:43 UTC 2012
Package: asterisk
Version: 1:1.8.13.0~dfsg-1+b1
Severity: important
There are now two severe issues open for Asterisk TLS support
There are more known issues in the Digium bug tracker (Jira) for Asterisk:
https://issues.asterisk.org/jira/browse/19147
- no support for connecting to peers with subjectAltName in certificates
- any peer on the public Internet could be using such a cert, and
Asterisk will mysteriously fail to connect to the peer
- these types of certificate are likely to become much more common
during the life of wheezy
https://issues.asterisk.org/jira/browse/ASTERISK-19268
- no support for verifying client peer certificates
- a vital element of federated SIP security and RFC 5922, not an
enthusiastic response from Digium
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683956
- existing issue tracked in Debian: can't connect to Asterisk v1.8.13 at
all using TLS (but it is OK in v1.8.8), wheezy has the broken version
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684646
- Asterisk fails to receive BYE from TLS peer (e.g. phone), keeps
channels open after call was supposed to finish
Summary of issues and TLS in Asterisk:
--------------------------------------
It falls way below the standard suggested in RFC 5922, so it is only
really suitable for a `closed' network, e.g. connecting phones to the
server - not for connecting Asterisk to third parties across the Internet.
Suggestions
-----------
These are some options to consider:
a) strongly worded warning about these limitations for README.Debian
b) make a separate asterisk-tls package, and include the warning in the
package description too
c) compile the wheezy packages WITHOUT any TLS support - put
instructions in README.Debian for people to compile it themselves
d) any such warnings could also refer to the various guides about using
a SIP proxy (repro or kamailio) to handle all the TLS connectivity, both
of these proxies have a much higher standard of coding for TLS, and they
support all of RFC 5922
More information about the Pkg-voip-maintainers
mailing list