Hello,
(cross-posting as it impacts users as well)
Currently we generate and install the TLS self-signed certificates when tls module is installed, including them in the debian packages (and I guess in rpms).
Debian has a policy of reproducible builds, meaning that from same source tree snapshot the same binary packages should result.
Even more important considering the impact on security, it would be better that the certificates are generated locally on the installation server, to be distinct. Right now, people relying on default installation config/certificates (and I guess there are many, at least in testing phase), are exposed to eavesdropping, because the private key is available in public packages.
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
The drawback is that before enabling tls and starting kamailio, one has to run the above command. We can document that in tls module readme and in kamailio.cfg in the comments related to WITH_TLS define.
Anyone with comments, pros/cons?
Other suggestions on how to address the reproducible builds as well as solve the security issue for the default installation?
Cheers, Daniel