[Freeswitch-users] TLS re-negotiation attack on SIP/TLS of FreeSWITCH?
Brian West
brian at freeswitch.org
Wed Sep 22 08:03:32 PDT 2010
We do set TPTAG_TLS_VERIFY_POLICY(0) on our TLS sofia profiles.
/b
On Sep 22, 2010, at 9:45 AM, Fabio Pietrosanti (naif) wrote:
> There is a nice thread related to Apache ad OpenSSL plenty of nice tech
> information on how it's fixed in Apache starting from a certain OpenSSL
> version:
> http://www.mail-archive.com/dev@httpd.apache.org/msg46216.html
>
> Additionally there was a very quick OpenSSL fix when in 2009 the
> vulnerability was discovered:
> http://www.links.org/files/no-renegotiation-2.patch
>
> They could be good hint to have a look and be sure that TLS just does
> not do TLS re-negotiation (the fix it's to just disable TLS re-negotiation).
>
> Ah! Regarding the certificate check:
> - With SNOM Firmware 8 and with PrivateGSM Enterprise (i will release
> early october for Nokia/iPhone/Blackberry on http://www.privatewave.com)
> there's a forced server-side certificate check to enforce the SIP/TLS
> security checking.
>
> However the TLS re-negotiation issue it's a different story.
>
> Fabio
More information about the FreeSWITCH-users
mailing list