7 Oct
2019
7 Oct
'19
4 p.m.
Hello,
I wanted to take the version of docs from master in order to be able to
cherry-pick in the future.
That's the reason most of the commits for documentation are done
separate of the one for code, to be easy to cherry-pick one or the other
based on the needs and reduce the risk of conflicts. But in this case,
you did the documentation and code in a single commit.
As I wanted to copy&paste, first I notice it was in the default value
paragraph, which is typically standalone and short, referring only to
default value.
Then I rephrased because the "production" term is mainly used for
"stability" (as in production-ready code) and I wanted to be clear that
is not about code stability, but strong security (encryption). At the
end UDP is still the most used transport protocol for SIP even these
days, with 0 encryption (and security level from that point of view). So
it is fine to use it in production if one doesn't want strong security.
Feel free to add more details there to make it clear from your point of
view, but it is not something that cannot be used in production.
Cheers,
Daniel
On 07.10.19 15:31, Henning Westerholt wrote:
Hi Daniel,
thank you for integrating the changes in the stable branches, I could
have done it later as well.
One remark about the README change - in my opinion the krand and
fastrand should not used in production. They will generate to weak
random numbers. Refer for example to this wikipedia summary:
https://en.wikipedia.org/wiki/Random_number_generator_attack#Prominent_exam…
Many systems were broken by using insufficient random number generators.
So I think the documentation should indicate this as well.
Cheers,
Henning
Am 07.10.19 um 15:11 schrieb Daniel-Constantin Mierla:
> Module: kamailio
> Branch: master
> Commit: 4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9
> URL:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
>
> Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
> Date: 2019-10-07T15:07:41+02:00
>
> tls: docs - relocated the note about krand and fastrand from default value paragraph
>
> - rephrased a bit to avoid eventual confusion they are not production ready
>
> ---
>
> Modified: src/modules/tls/doc/params.xml
>
> ---
>
> Diff:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
> Patch:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
>
> ---
>
> diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
> index 72d3278ed7..dc6494c2db 100644
> --- a/src/modules/tls/doc/params.xml
> +++ b/src/modules/tls/doc/params.xml
> @@ -1259,13 +1259,16 @@ end
> <itemizedlist>
> <listitem><para>krand - use internal kam_rand()
function</para></listitem>
> <listitem><para>fastrand - use internal fastrand
function</para></listitem>
> - <listitem><para>cryptorand - use internal cryptorand
function</para></listitem>
> + <listitem><para>cryptorand - use internal cryptorand (fortuna)
function</para></listitem>
> </itemizedlist>
> + <para>
> + Note: the krand and fastrand engines are not recommended for use on
> + systems requiring strong security, as they may not generate numbers
> + with enough randomness.
> + </para>
> <para>
> The default value is empty (not set) for libssl v1.0.x or older, and
> - "cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines
are
> - not recommended for production use, as they will not generate secure enough
> - random numbers.
> + "cryptorand" for libssl v1.1.x or newer.
> </para>
> <example>
> <title>Set <varname>rand_engine</varname>
parameter</title>
>
>
> _______________________________________________
> Kamailio (SER) - Development Mailing List
> sr-dev(a)lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat