Hello,
(cross-posting as it impacts users as well)
Currently we generate and install the TLS self-signed certificates when tls module is installed, including them in the debian packages (and I guess in rpms).
Debian has a policy of reproducible builds, meaning that from same source tree snapshot the same binary packages should result.
Even more important considering the impact on security, it would be better that the certificates are generated locally on the installation server, to be distinct. Right now, people relying on default installation config/certificates (and I guess there are many, at least in testing phase), are exposed to eavesdropping, because the private key is available in public packages.
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
The drawback is that before enabling tls and starting kamailio, one has to run the above command. We can document that in tls module readme and in kamailio.cfg in the comments related to WITH_TLS define.
Anyone with comments, pros/cons?
Other suggestions on how to address the reproducible builds as well as solve the security issue for the default installation?
Cheers, Daniel
Daniel-Constantin Mierla writes:
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
The drawback is that before enabling tls and starting kamailio, one has to run the above command. We can document that in tls module readme and in kamailio.cfg in the comments related to WITH_TLS define.
Anyone with comments, pros/cons?
I support certificate generation by kamctl.
-- Juha
On 07/20/2015 08:58 PM, Daniel-Constantin Mierla wrote:
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
Anyone with comments, pros/cons?
+1 kamctl tls approach
Agree
2015-07-20 22:18 GMT+03:00 Victor Seva linuxmaniac@torreviejawireless.org:
On 07/20/2015 08:58 PM, Daniel-Constantin Mierla wrote:
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
Anyone with comments, pros/cons?
+1 kamctl tls approach
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
+1 also here :)
2015-07-21 12:25 GMT+02:00 Alekzander Spiridonov sipidronov@gmail.com:
Agree
2015-07-20 22:18 GMT+03:00 Victor Seva <linuxmaniac@torreviejawireless.org
:
On 07/20/2015 08:58 PM, Daniel-Constantin Mierla wrote:
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
Anyone with comments, pros/cons?
+1 kamctl tls approach
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-- Best regards, Alekzander Spiridonov
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
I think this is a good idea. My only suggestion would be to perhaps add a reminder after make (or make install) for any packages that will need additional installation; such as db_ or (if modified tls).
For example, if tls and db_mysql are installed, a message echoed to terminal such as "Please remember to run kamdbctl create" and "Please remember to run kamctl tls generate-certificate" etc.
--fred
On 07/20/2015 02:58 PM, Daniel-Constantin Mierla wrote:
Hello,
(cross-posting as it impacts users as well)
Currently we generate and install the TLS self-signed certificates when tls module is installed, including them in the debian packages (and I guess in rpms).
Debian has a policy of reproducible builds, meaning that from same source tree snapshot the same binary packages should result.
Even more important considering the impact on security, it would be better that the certificates are generated locally on the installation server, to be distinct. Right now, people relying on default installation config/certificates (and I guess there are many, at least in testing phase), are exposed to eavesdropping, because the private key is available in public packages.
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
The drawback is that before enabling tls and starting kamailio, one has to run the above command. We can document that in tls module readme and in kamailio.cfg in the comments related to WITH_TLS define.
Anyone with comments, pros/cons?
Other suggestions on how to address the reproducible builds as well as solve the security issue for the default installation?
Cheers, Daniel
-
Alberto Sagredo -
Alekzander Spiridonov -
Daniel-Constantin Mierla -
Fred Posner -
Juha Heinanen -
Victor Seva