git:master:4e9f49a5: tls: docs - relocated the note about krand and fastrand from default value paragraph
7 Oct
2019
7 Oct
'19
5:11 p.m.
Module: kamailio
Branch: master
Commit: 4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9
URL: https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 2019-10-07T15:07:41+02:00
tls: docs - relocated the note about krand and fastrand from default value paragraph
- rephrased a bit to avoid eventual confusion they are not production ready
---
Modified: src/modules/tls/doc/params.xml
---
Diff:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
Patch:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
---
diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
index 72d3278ed7..dc6494c2db 100644
--- a/src/modules/tls/doc/params.xml
+++ b/src/modules/tls/doc/params.xml
@@ -1259,13 +1259,16 @@ end
<itemizedlist>
<listitem><para>krand - use internal kam_rand()
function</para></listitem>
<listitem><para>fastrand - use internal fastrand
function</para></listitem>
- <listitem><para>cryptorand - use internal cryptorand
function</para></listitem>
+ <listitem><para>cryptorand - use internal cryptorand (fortuna)
function</para></listitem>
</itemizedlist>
+ <para>
+ Note: the krand and fastrand engines are not recommended for use on
+ systems requiring strong security, as they may not generate numbers
+ with enough randomness.
+ </para>
<para>
The default value is empty (not set) for libssl v1.0.x or older, and
- "cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines are
- not recommended for production use, as they will not generate secure enough
- random numbers.
+ "cryptorand" for libssl v1.1.x or newer.
</para>
<example>
<title>Set <varname>rand_engine</varname> parameter</title>
7 Oct
7 Oct
5:31 p.m.
Hi Daniel,
thank you for integrating the changes in the stable branches, I could
have done it later as well.
One remark about the README change - in my opinion the krand and
fastrand should not used in production. They will generate to weak
random numbers. Refer for example to this wikipedia summary:
https://en.wikipedia.org/wiki/Random_number_generator_attack#Prominent_exam…
Many systems were broken by using insufficient random number generators.
So I think the documentation should indicate this as well.
Cheers,
Henning
Am 07.10.19 um 15:11 schrieb Daniel-Constantin Mierla:
Module: kamailio
Branch: master
Commit: 4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9
URL:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 2019-10-07T15:07:41+02:00
tls: docs - relocated the note about krand and fastrand from default value paragraph
- rephrased a bit to avoid eventual confusion they are not production ready
---
Modified: src/modules/tls/doc/params.xml
---
Diff:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
Patch:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
---
diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
index 72d3278ed7..dc6494c2db 100644
--- a/src/modules/tls/doc/params.xml
+++ b/src/modules/tls/doc/params.xml
@@ -1259,13 +1259,16 @@ end
<itemizedlist>
<listitem><para>krand - use internal kam_rand()
function</para></listitem>
<listitem><para>fastrand - use internal fastrand
function</para></listitem>
- <listitem><para>cryptorand - use internal cryptorand
function</para></listitem>
+ <listitem><para>cryptorand - use internal cryptorand (fortuna)
function</para></listitem>
</itemizedlist>
+ <para>
+ Note: the krand and fastrand engines are not recommended for use on
+ systems requiring strong security, as they may not generate numbers
+ with enough randomness.
+ </para>
<para>
The default value is empty (not set) for libssl v1.0.x or older, and
- "cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines
are
- not recommended for production use, as they will not generate secure enough
- random numbers.
+ "cryptorand" for libssl v1.1.x or newer.
</para>
<example>
<title>Set <varname>rand_engine</varname>
parameter</title>
_______________________________________________
Kamailio (SER) - Development Mailing List
sr-dev(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
--
Kamailio Merchandising - https://skalatan.de/merchandising/
Kamailio services - https://skalatan.de/services
Henning Westerholt - https://skalatan.de/blog/
6 p.m.
Hello,
I wanted to take the version of docs from master in order to be able to
cherry-pick in the future.
That's the reason most of the commits for documentation are done
separate of the one for code, to be easy to cherry-pick one or the other
based on the needs and reduce the risk of conflicts. But in this case,
you did the documentation and code in a single commit.
As I wanted to copy&paste, first I notice it was in the default value
paragraph, which is typically standalone and short, referring only to
default value.
Then I rephrased because the "production" term is mainly used for
"stability" (as in production-ready code) and I wanted to be clear that
is not about code stability, but strong security (encryption). At the
end UDP is still the most used transport protocol for SIP even these
days, with 0 encryption (and security level from that point of view). So
it is fine to use it in production if one doesn't want strong security.
Feel free to add more details there to make it clear from your point of
view, but it is not something that cannot be used in production.
Cheers,
Daniel
On 07.10.19 15:31, Henning Westerholt wrote:
Hi Daniel,
thank you for integrating the changes in the stable branches, I could
have done it later as well.
One remark about the README change - in my opinion the krand and
fastrand should not used in production. They will generate to weak
random numbers. Refer for example to this wikipedia summary:
https://en.wikipedia.org/wiki/Random_number_generator_attack#Prominent_exam…
Many systems were broken by using insufficient random number generators.
So I think the documentation should indicate this as well.
Cheers,
Henning
Am 07.10.19 um 15:11 schrieb Daniel-Constantin Mierla:
> Module: kamailio
> Branch: master
> Commit: 4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9
> URL:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
>
> Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
> Date: 2019-10-07T15:07:41+02:00
>
> tls: docs - relocated the note about krand and fastrand from default value paragraph
>
> - rephrased a bit to avoid eventual confusion they are not production ready
>
> ---
>
> Modified: src/modules/tls/doc/params.xml
>
> ---
>
> Diff:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
> Patch:
https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace…
>
> ---
>
> diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
> index 72d3278ed7..dc6494c2db 100644
> --- a/src/modules/tls/doc/params.xml
> +++ b/src/modules/tls/doc/params.xml
> @@ -1259,13 +1259,16 @@ end
> <itemizedlist>
> <listitem><para>krand - use internal kam_rand()
function</para></listitem>
> <listitem><para>fastrand - use internal fastrand
function</para></listitem>
> - <listitem><para>cryptorand - use internal cryptorand
function</para></listitem>
> + <listitem><para>cryptorand - use internal cryptorand (fortuna)
function</para></listitem>
> </itemizedlist>
> + <para>
> + Note: the krand and fastrand engines are not recommended for use on
> + systems requiring strong security, as they may not generate numbers
> + with enough randomness.
> + </para>
> <para>
> The default value is empty (not set) for libssl v1.0.x or older, and
> - "cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines
are
> - not recommended for production use, as they will not generate secure enough
> - random numbers.
> + "cryptorand" for libssl v1.1.x or newer.
> </para>
> <example>
> <title>Set <varname>rand_engine</varname>
parameter</title>
>
>
> _______________________________________________
> Kamailio (SER) - Development Mailing List
> sr-dev(a)lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat
6:51 p.m.
Hi Daniel,
Yes - I did it together in one commit as the two were tightly coupled. But this indeed
made the backport difficult, was not intended - sorry.
Ok, I will probably add a bit of clarification to the README - understood your goal
here.
Cheers,
Henning
-----Original Message-----
From: Daniel-Constantin Mierla <miconda(a)gmail.com>
Sent: Monday, October 7, 2019 4:01 PM
To: Henning Westerholt <hw(a)skalatan.de>de>; Kamailio (SER) - Development Mailing List
<sr-dev(a)lists.kamailio.org>
Subject: Re: [sr-dev] git:master:4e9f49a5: tls: docs - relocated the note about krand and
fastrand from default value paragraph
Hello,
I wanted to take the version of docs from master in order to be able to cherry-pick in the
future.
That's the reason most of the commits for documentation are done separate of the one
for code, to be easy to cherry-pick one or the other based on the needs and reduce the
risk of conflicts. But in this case, you did the documentation and code in a single
commit.
As I wanted to copy&paste, first I notice it was in the default value paragraph, which
is typically standalone and short, referring only to default value.
Then I rephrased because the "production" term is mainly used for
"stability" (as in production-ready code) and I wanted to be clear that is not
about code stability, but strong security (encryption). At the end UDP is still the most
used transport protocol for SIP even these days, with 0 encryption (and security level
from that point of view). So it is fine to use it in production if one doesn't want
strong security.
Feel free to add more details there to make it clear from your point of view, but it is
not something that cannot be used in production.
Cheers,
Daniel
On 07.10.19 15:31, Henning Westerholt wrote:
Hi Daniel,
thank you for integrating the changes in the stable branches, I could
have done it later as well.
One remark about the README change - in my opinion the krand and
fastrand should not used in production. They will generate to weak
random numbers. Refer for example to this wikipedia summary:
https://en.wikipedia.org/wiki/Random_number_generator_attack#Prominent
_examples
Many systems were broken by using insufficient random number generators.
So I think the documentation should indicate this as well.
Cheers,
Henning
Am 07.10.19 um 15:11 schrieb Daniel-Constantin Mierla:
> Module: kamailio
> Branch: master
> Commit: 4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9
> URL:
> https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310
> 402acea7f5a3ca9
>
> Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
> Date: 2019-10-07T15:07:41+02:00
>
> tls: docs - relocated the note about krand and fastrand from default
> value paragraph
>
> - rephrased a bit to avoid eventual confusion they are not production
> ready
>
> ---
>
> Modified: src/modules/tls/doc/params.xml
>
> ---
>
> Diff:
> https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310
> 402acea7f5a3ca9.diff
> Patch:
> https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310
> 402acea7f5a3ca9.patch
>
> ---
>
> diff --git a/src/modules/tls/doc/params.xml
> b/src/modules/tls/doc/params.xml index 72d3278ed7..dc6494c2db 100644
> --- a/src/modules/tls/doc/params.xml
> +++ b/src/modules/tls/doc/params.xml
> @@ -1259,13 +1259,16 @@ end
> <itemizedlist>
> <listitem><para>krand - use internal kam_rand()
function</para></listitem>
> <listitem><para>fastrand - use internal fastrand
function</para></listitem>
> - <listitem><para>cryptorand - use internal cryptorand
function</para></listitem>
> + <listitem><para>cryptorand - use internal cryptorand (fortuna)
> +function</para></listitem>
> </itemizedlist>
> + <para>
> + Note: the krand and fastrand engines are not recommended for use on
> + systems requiring strong security, as they may not generate numbers
> + with enough randomness.
> + </para>
> <para>
> The default value is empty (not set) for libssl v1.0.x or older, and
> - "cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines
are
> - not recommended for production use, as they will not generate secure enough
> - random numbers.
> + "cryptorand" for libssl v1.1.x or newer.
> </para>
> <example>
> <title>Set <varname>rand_engine</varname>
parameter</title>
>
>
> _______________________________________________
> Kamailio (SER) - Development Mailing List sr-dev(a)lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
--
Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda --
www.linkedin.com/in/miconda Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany
-- https://asipto.com/u/kat
1863
days inactive
1863
days old
3 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
Henning Westerholt