[Freeswitch-users] TLS re-negotiation attack on SIP/TLS of FreeSWITCH?

Fabio Pietrosanti (naif) lists at infosecurity.ch
Wed Sep 22 07:45:18 PDT 2010 

There is a nice thread related to Apache ad OpenSSL plenty of nice tech
information on how it's fixed in Apache starting from a certain OpenSSL
version:
http://www.mail-archive.com/dev@httpd.apache.org/msg46216.html

Additionally there was a very quick OpenSSL fix when in 2009 the
vulnerability was discovered:
http://www.links.org/files/no-renegotiation-2.patch

They could be good hint to have a look and be sure that TLS just does
not do TLS re-negotiation (the fix it's to just disable TLS re-negotiation).

Ah! Regarding the certificate check:
- With SNOM Firmware 8 and with PrivateGSM Enterprise (i will release
early october for Nokia/iPhone/Blackberry on http://www.privatewave.com)
there's a forced server-side certificate check to enforce the SIP/TLS
security checking.

However the TLS re-negotiation issue it's a different story.

Fabio

On 22/09/10 16.33, Brian West wrote:
> I'm not 100% sure how its handled because its done down in the Sofia library.  I'm not too sure we are very vulnerable to this...  I can't think of one thing in a sip call via TLS this could actually cause a problem with.  Its not the same ball game when its your browser vs a sip phone where most don't even check the cert is valid in the first place.
>
> /b
>
> On Sep 22, 2010, at 9:23 AM, Fabio Pietrosanti (naif) wrote:
>
>   
>> Hi all,
>>
>> i read about the TLS-RENEGOTIATION vulnerability:
>>
>> http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
>> http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html
>> www.phonefactor.com/sslgapdocs/Renegotiating_TLS.pdf
>>
>> Does the FreeSWITCH SIP/TLS implementation suffer from the TLS
>> Renegotiation vulnerability or the TLS-renegotiation it's disabled by
>> default, in how OpenSSL is used?
>>
>> Fabio Pietrosanti
>>     
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>

More information about the FreeSWITCH-users mailing list