[Freeswitch-users] Updating TLS

Privus 007 privus007 at gmail.com
Fri Sep 13 20:54:56 MSD 2013


I'm also no crypto expert, but I think the FS community needs to be more
concerned with security these days, given what we now know.
I agree that using EC may not be the smartest thing to do, and I have also
been following the ongoing discussion.

The problem is that we really don't know exactly which forms of EC present
in latest openssl have been cooked, if any at all besides the one we
already know about.
Right now there's just too much speculation and little fact. I've taken
notice of Schneier's concerns, but he offers little more than a gut feeling
at the moment to distrust EC in general. I can obviously understand
distrusting some specific EC implementations where we now know some
agency-which-we'll-not-name-here has cooked the constants
(Dual_EC_DRBG<http://www.scmagazine.com.au/News/356751,leaked-nsa-docs-suggest-dualecdrbg-backdoor.aspx>),
but that's a far cry from disabling all EC completely.

Regardless of what we eventually discover, it seems to me that updating TLS
to 1.2 in FS is smart security. At least then we have the option of
disabling certain ciphers and EC implementations, but we're in control.
Right now I don't know how to disable certain ciphers in FS and force the
use of others to enforce PFS for example. Perhaps I'm just ignorant, but I
can't find that documented anywhere
As it stands right now, FS is limited to TLS 1.0 and AES 128 bit (correct
me if I'm wrong), which is known to be vulnerable to a few attacks, even if
BEAST and the like are highly unlikely attack vectors in a FS session.

I do hope that FS developers take notice. It's great to have WebRTC and all
the other cool and new protocols being rolled into FS, but for many people
security is becoming of paramount importance. As a long time user and fan
of FS, I do hope that security becomes just as much a priority.


On Fri, Sep 13, 2013 at 1:17 PM, Patrick Lists <
freeswitch-list at puzzled.xs4all.nl> wrote:

> On 09/13/2013 01:29 PM, Mehroz Ashraf wrote:
> > Agreed ! TLS/SSL seems to be not so important unless FS is capable of
> providing security implementation in some form atleast. This is great, when
> you JUST have to secure your communication.
> >
> > but, NOT , when security is the only concern. I have been trying to
> mature the TLS handshake on SUITE-B standard, but yet unsuccessful
> acquiring so.
> >
> > I believe that FS use openSSL for dealing with encryption methods and
> therefore, I have taken it to the version 1.0.1e, which supports TLS1.1 ,
> 1.2 . But , FS doesnt verfiy those Cipher
> [TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256].
> >
> >
> > I have already a jira ticket opened here:
> >
> > http://jira.freeswitch.org/browse/FS-5719
>
> I'm no crypto expert but given that the NSA seems to have cooked the EC
> constants and that Bruce Schneier has publicly stated that he no longer
> trusts EC, using EC for supposedly increased security may not be the
> smartest thing to do. Also keep in mind that at least RHEL5/CentOS5 &
> RHEL6/CentOS6 have EC disabled in openssl. I'm not sure about Debian
> (comments welcome).
>
> The only thing that seems to keep security afloat is using lots of bits
> when generating keys and common sense like don't use RC4, export
> ciphers, etc.
>
> Regards,
> Patrick
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130913/f8824816/attachment.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list