On Tue, Jun 10, 2014 at 4:44 PM, Michelle Dupuis <mdup...@ocg.ca> wrote:
> After reading about the 2 major SSL (and TLS?) weaknesses discovered > this year, I was wondering how it affects asterisk. > Asterisk uses OpenSSL for TLS. So, the answer is, it depends on the version of OpenSSL that was installed for your Asterisk server. See http://blogs.digium.com/2014/04/11/asterisk-heartbleed/ for more information. > Does the SIP authentication use TLS - or something that was recently > broken? Is there a risk of exposing passwords? > SIP signalling - in both chan_sip and chan_pjsip - can use TLS as a transport. If your OpenSSL version is one of those affected by the various vulnerabilities, then yes, you are at risk. This also applies to all other modules in Asterisk that use TLS, including AMI, the HTTP server, and others. Matt -- Matthew Jordan Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users