Hi all,
is it possible to add in http://kamailio.org/docs/modules/4.2.x/modules/tls.html under the line
9.1. |tls_method| (string)
... ...
If rfc3261 conformance is desired, TLSv1 must be used. For compatibility with older clients SSLv23 is a good option.
*Example 1.3. Set |tls_method| parameter*
... modparam("tls", "tls_method", "TLSv1") ...
<
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE Vulnerability* !!!
Am 21.10.2014 um 08:01 schrieb Rainer Piper:
Hi all,
is it possible to add in http://kamailio.org/docs/modules/4.2.x/modules/tls.html under the line
9.1. |tls_method| (string)... ...
If rfc3261 conformance is desired, TLSv1 must be used. For compatibility with older clients SSLv23 is a good option.
*Example 1.3. Set |tls_method| parameter*
... modparam("tls", "tls_method", "TLSv1") ... <
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE Vulnerability* !!!
-- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rainer@sip.soho-piper.de:5072 (pjsip-test) XMPP: rainer@xmpp.soho-piper.de
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
more informations about SSLv3 POODLE attack
SSL 3 is dead, killed by the POODLE attack https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
Gepostet von Ivan Ristic https://community.qualys.com/people/ivanr in Security Labs https://community.qualys.com/blogs/securitylabs am 15.10.2014 12:06:32
The POODLE Attack (CVE-2014-3566)
After more than a week of persistent rumours, yesterday (Oct 14) we finally learned about the new SSL 3 vulnerability everyone was afraid of. The so-called POODLE attack http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html is a problem in the CBC encryption scheme as implemented in the SSL 3 protocol. (Other protocols are not vulnerable because this area had been strengthened in TLS 1.0.) Conceptually, the vulnerability is very similar to the 2011 BEAST exploit. In order to successfully exploit POODLE the attacker must be able to inject malicious JavaScript into the victim's browser and also be able to observe and manipulate encrypted network traffic on the wire. As far as MITM attacks go, this one is complicated, but easier to execute than BEAST because it doesn't require any special browser plugins. If you care to learn the details, you can find them in the short paper https://www.openssl.org/%7Ebodo/ssl-poodle.pdf or in Adam Langley's blog post https://www.imperialviolet.org/2014/10/14/poodle.html.
read more at source -> https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-kil...
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in danger from a Poodle attack. Even so, we are not enabling SSL by default, only enabling TLS. All versions of SSL are too old to be secure. We can not add a warning text for every possible attack, but have published information on twitter, facebook, G+ and on the mailing lists.
Are we aware of any phones or SIP servers that only supports SSLv3 and have no support of TLS?
/O
Am 21.10.2014 um 08:20 schrieb Olle E Johansson:
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in danger from a Poodle attack. Even so, we are not enabling SSL by default, only enabling TLS. All versions of SSL are too old to be secure. We can not add a warning text for every possible attack, but have published information on twitter, facebook, G+ and on the mailing lists.
Are we aware of any phones or SIP servers that only supports SSLv3 and have no support of TLS?
/O
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
asterisk just published a security warning
source: http://downloads.asterisk.org/pub/security/AST-2014-011.html
you have to force asterisk to do TLSv1 the defaults settings allowing a SSLv3/SSLv2 fallback.
Rainer Piper skrev 2014-10-21 08:30:
Am 21.10.2014 um 08:20 schrieb Olle E Johansson:
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in danger from a Poodle attack. Even so, we are not enabling SSL by default, only enabling TLS. All versions of SSL are too old to be secure. We can not add a warning text for every possible attack, but have published information on twitter, facebook, G+ and on the mailing lists.
Are we aware of any phones or SIP servers that only supports SSLv3 and have no support of TLS?
/O
source: http://downloads.asterisk.org/pub/security/AST-2014-011.html
you have to force asterisk to do TLSv1 the defaults settings allowing a SSLv3/SSLv2 fallback.
Yes, I am aware of that (and took part in the process). It's the same as what Kamailio does if you check the default configuration.
As a second step we will have to modify our defaults in the code (like Asterisk).
/O
As we had a note about sslv2 not being recommended when security is wanted, I put the same note for sslv3. It could be useful for new comers in the field.
Cheers, Daniel
On 21/10/14 08:34, Olle E Johansson wrote:
Rainer Piper skrev 2014-10-21 08:30:
Am 21.10.2014 um 08:20 schrieb Olle E Johansson:
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in danger from a Poodle attack. Even so, we are not enabling SSL by default, only enabling TLS. All versions of SSL are too old to be secure. We can not add a warning text for every possible attack, but have published information on twitter, facebook, G+ and on the mailing lists.
Are we aware of any phones or SIP servers that only supports SSLv3 and have no support of TLS?
/O
source: http://downloads.asterisk.org/pub/security/AST-2014-011.html
you have to force asterisk to do TLSv1 the defaults settings allowing a SSLv3/SSLv2 fallback.
Yes, I am aware of that (and took part in the process). It's the same as what Kamailio does if you check the default configuration.
As a second step we will have to modify our defaults in the code (like Asterisk).
/O
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
HI all,
Can anyone tell any phones or browser (WSS) that only supports SSLv3 and have no support of TLS?
Regards
Varghese Paul
On Tue, Oct 21, 2014 at 8:04 PM, Daniel-Constantin Mierla <miconda@gmail.com
wrote:
As we had a note about sslv2 not being recommended when security is wanted, I put the same note for sslv3. It could be useful for new comers in the field.
Cheers, Daniel
On 21/10/14 08:34, Olle E Johansson wrote:
Rainer Piper skrev 2014-10-21 08:30:
Am 21.10.2014 um 08:20 schrieb Olle E Johansson:
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in danger from a Poodle attack. Even so, we are not enabling SSL by default, only enabling TLS. All versions of SSL are too old to be secure. We can not add a warning text for every possible attack, but have published information on twitter, facebook, G+ and on the mailing lists.
Are we aware of any phones or SIP servers that only supports SSLv3 and have no support of TLS?
/O
source: http://downloads.asterisk.org/pub/security/AST-2014-011.html
you have to force asterisk to do TLSv1 the defaults settings allowing a SSLv3/SSLv2 fallback.
Yes, I am aware of that (and took part in the process). It's the same as what Kamailio does if you check the default configuration.
As a second step we will have to modify our defaults in the code (like Asterisk).
/O
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Olle E Johansson -
Rainer Piper -
Varghese Paul