Hello,
(cross-posting as it impacts users as well)
Currently we generate and install the TLS self-signed certificates when tls module is installed, including them in the debian packages (and I guess in rpms).
Debian has a policy of reproducible builds, meaning that from same source tree snapshot the same binary packages should result.
Even more important considering the impact on security, it would be better that the certificates are generated locally on the installation server, to be distinct. Right now, people relying on default installation config/certificates (and I guess there are many, at least in testing phase), are exposed to eavesdropping, because the private key is available in public packages.
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
The drawback is that before enabling tls and starting kamailio, one has to run the above command. We can document that in tls module readme and in kamailio.cfg in the comments related to WITH_TLS define.
Anyone with comments, pros/cons?
Other suggestions on how to address the reproducible builds as well as solve the security issue for the default installation?
Cheers, Daniel
Daniel-Constantin Mierla writes:
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
The drawback is that before enabling tls and starting kamailio, one has to run the above command. We can document that in tls module readme and in kamailio.cfg in the comments related to WITH_TLS define.
Anyone with comments, pros/cons?
I support certificate generation by kamctl.
-- Juha
On 07/20/2015 08:58 PM, Daniel-Constantin Mierla wrote:
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
Anyone with comments, pros/cons?
+1 kamctl tls approach
Agree
2015-07-20 22:18 GMT+03:00 Victor Seva linuxmaniac@torreviejawireless.org:
On 07/20/2015 08:58 PM, Daniel-Constantin Mierla wrote:
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
Anyone with comments, pros/cons?
+1 kamctl tls approach
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
+1 also here :)
2015-07-21 12:25 GMT+02:00 Alekzander Spiridonov sipidronov@gmail.com:
Agree
2015-07-20 22:18 GMT+03:00 Victor Seva <linuxmaniac@torreviejawireless.org
:
On 07/20/2015 08:58 PM, Daniel-Constantin Mierla wrote:
My proposal is to move generation of self signed certificates to kamctl. There can be a kamctl.tls file to be deployed by the tls package (same is done by kamctl.mysql, being part of mysql package), which should add a new group of commands, among them something like:
kamctl tls generate-certificate
Anyone with comments, pros/cons?
+1 kamctl tls approach
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-- Best regards, Alekzander Spiridonov
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Alberto Sagredo -
Alekzander Spiridonov -
Daniel-Constantin Mierla -
Juha Heinanen -
Victor Seva