[Freeswitch-users] Updating TLS
Patrick Lists
freeswitch-list at puzzled.xs4all.nl
Fri Sep 13 16:17:55 MSD 2013
On 09/13/2013 01:29 PM, Mehroz Ashraf wrote:
> Agreed ! TLS/SSL seems to be not so important unless FS is capable of providing security implementation in some form atleast. This is great, when you JUST have to secure your communication.
>
> but, NOT , when security is the only concern. I have been trying to mature the TLS handshake on SUITE-B standard, but yet unsuccessful acquiring so.
>
> I believe that FS use openSSL for dealing with encryption methods and therefore, I have taken it to the version 1.0.1e, which supports TLS1.1 , 1.2 . But , FS doesnt verfiy those Cipher [TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256].
>
>
> I have already a jira ticket opened here:
>
> http://jira.freeswitch.org/browse/FS-5719
I'm no crypto expert but given that the NSA seems to have cooked the EC
constants and that Bruce Schneier has publicly stated that he no longer
trusts EC, using EC for supposedly increased security may not be the
smartest thing to do. Also keep in mind that at least RHEL5/CentOS5 &
RHEL6/CentOS6 have EC disabled in openssl. I'm not sure about Debian
(comments welcome).
The only thing that seems to keep security afloat is using lots of bits
when generating keys and common sense like don't use RC4, export
ciphers, etc.
Regards,
Patrick
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list