[Freeswitch-users] TLS re-negotiation attack on SIP/TLS of FreeSWITCH?
Brian West
brian at freeswitch.org
Wed Sep 22 07:33:39 PDT 2010
I'm not 100% sure how its handled because its done down in the Sofia library. I'm not too sure we are very vulnerable to this... I can't think of one thing in a sip call via TLS this could actually cause a problem with. Its not the same ball game when its your browser vs a sip phone where most don't even check the cert is valid in the first place.
/b
On Sep 22, 2010, at 9:23 AM, Fabio Pietrosanti (naif) wrote:
> Hi all,
>
> i read about the TLS-RENEGOTIATION vulnerability:
>
> http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
> http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html
> www.phonefactor.com/sslgapdocs/Renegotiating_TLS.pdf
>
> Does the FreeSWITCH SIP/TLS implementation suffer from the TLS
> Renegotiation vulnerability or the TLS-renegotiation it's disabled by
> default, in how OpenSSL is used?
>
> Fabio Pietrosanti
More information about the FreeSWITCH-users
mailing list