diff options
author | Alexander Traud <pabstraud@compuserve.com> | 2016-06-22 14:13:39 +0200 |
---|---|---|
committer | Alexander Traud <pabstraud@compuserve.com> | 2016-07-13 11:48:21 -0500 |
commit | 332beb27d86c8e1a6220c2ccfc9e54b57d299e02 (patch) | |
tree | 2c226080a97a88328cceda38194e3598ae6d4005 /CHANGES | |
parent | 8cea01ab1b3e07282487d7efe1888f290cc4280a (diff) |
res_rtp_asterisk: Enable Forward Secrecy (PFS) for DTLS.
Since July 2014, TLS based protocols (SIP over TLS, Secure WebSockets, HTTPS)
support PFS thanks to ASTERISK-23905. In July 2015, the same feature was added
for DTLS. The source code from main/tcptls.c should have been re-used to ease
security audits. Therefore, this change rolls back the change from July 2015 and
re-uses the code from July 2014. This has the additional benefits to work under
CentOS 7 and enabling not just ECDHE but DHE based cipher suites as well.
ASTERISK-25659 #close
Reported by: StefanEng86, urbaniak, pay123
Tested by: sarumjanuch, traud
patches:
res_rtp_asterisk.patch submitted by sarumjanuch
dtls_centos_step_1.patch submitted by traud
dtls_centos_step_2.patch submitted by traud
Change-Id: I537cadf4421f092a613146b230f2c0ee1be28d5c
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 18 |
1 files changed, 18 insertions, 0 deletions
@@ -19,6 +19,24 @@ res_pjsip extension in the indicated context. If no "subscribe_context" is specified, then the "context" setting is used. +res_rtp_asterisk +------------------ + * The DTLS part in Asterisk now supports Perfect Forward Secrecy (PFS). + Enabling PFS is attempted by default, and is dependent on the configuration + of the module using TLS. + - Ephemeral ECDH (ECDHE) is enabled by default. To disable it, do not + specify a ECDHE cipher suite in sip.conf, for example: + dtlscipher=AES128-SHA + - Ephemeral DH (DHE) is disabled by default. To enable it, add DH parameters + into the private key file, e.g., sip.conf dtlsprivatekey. For example: + openssl dhparam -out ./dh.pem 2048 + - Because clients expect the server to prefer PFS, and because OpenSSL sorts + its cipher suites by bit strength, see "openssl ciphers -v DEFAULT". + Consider re-ordering your cipher suites in the respective configuration + file. For example: + dtlscipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 + which forces PFS and requires at least DTLS 1.2. + ------------------------------------------------------------------------------ --- Functionality changes from Asterisk 13.9.0 to Asterisk 13.10.0 ----------- ------------------------------------------------------------------------------ |