[Freeswitch-users] TLS re-negotiation attack on SIP/TLS of FreeSWITCH?
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Wed Sep 22 07:45:18 PDT 2010
There is a nice thread related to Apache ad OpenSSL plenty of nice tech
information on how it's fixed in Apache starting from a certain OpenSSL
Additionally there was a very quick OpenSSL fix when in 2009 the
vulnerability was discovered:
They could be good hint to have a look and be sure that TLS just does
not do TLS re-negotiation (the fix it's to just disable TLS re-negotiation).
Ah! Regarding the certificate check:
- With SNOM Firmware 8 and with PrivateGSM Enterprise (i will release
early october for Nokia/iPhone/Blackberry on http://www.privatewave.com)
there's a forced server-side certificate check to enforce the SIP/TLS
However the TLS re-negotiation issue it's a different story.
On 22/09/10 16.33, Brian West wrote:
> I'm not 100% sure how its handled because its done down in the Sofia library. I'm not too sure we are very vulnerable to this... I can't think of one thing in a sip call via TLS this could actually cause a problem with. Its not the same ball game when its your browser vs a sip phone where most don't even check the cert is valid in the first place.
> On Sep 22, 2010, at 9:23 AM, Fabio Pietrosanti (naif) wrote:
>> Hi all,
>> i read about the TLS-RENEGOTIATION vulnerability:
>> Does the FreeSWITCH SIP/TLS implementation suffer from the TLS
>> Renegotiation vulnerability or the TLS-renegotiation it's disabled by
>> default, in how OpenSSL is used?
>> Fabio Pietrosanti
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
More information about the FreeSWITCH-users