[sr-dev] some observations on kamailio

Olle E. Johansson oej at edvina.net
Sun Jan 29 13:08:38 CET 2012 

29 jan 2012 kl. 11:34 skrev Daniel Pocock:

> 
> 
> - suid code: I notice that the daemon drops perms before loading the TLS
> private key file.  It would be better to load the file first, so that
> only root needs read access to the private key - does the current TLS
> module architecture support that?
Seems to be a good fix.
> 
> - comments on 1024 bit RSA: the docs recommend not to use key sizes > 1024.
> http://kamailio.org/docs/modules/devel/modules/tls.html#certificate
> However, this seems to be the opposite of what virtually all security
> experts are now saying: most people believe 2048 is bare minimum and
> 4096 is the better choice for new deployments where no legacy clients
> might exist
Agree.
> 
> - also related the above issue, the doc says `bytes', I think it means
> to say 1024 bits
Agree.

> 
> - is there a compelling reason to use hard-coded IP addresses for SIP
> config files?  For all my apps that have special IP requirements, I
> always create dedicated DNS names for each of my virtual/interface IPs.
> Then I like to put that dedicated DNS name (rather than just the
> hostname) in the config file.  The listen= directive in kamailio.cfg
> doesn't appear to support this though.
Listen indicates exactly interfaces and IPs to listen to. Alias adds the list of
DNS names the server is authoritative for.
I think the current setup is fine.

> 
> - DB setup - I notice that the kamdbctl script expects to make databases
> and make tables in one step.  It is not unusual for a security-conscious
> admin to deny DBA access from app servers (e.g. the server where
> kamailio is installed).  Maybe kamdbctl needs an option to skip DB
> creation, and just do table creation?  I found I could achieve this just
> by editing:
> 
> /usr/lib/kamailio/kamctl/kamdbctl.mysql
> 
> and commenting the `exit 1' line in this code:
> if [ $? -ne 0 ] ; then
>        merr "Creating core database and grant privileges failed!"
>        #exit 1
> fi
Agree with this change.

> 
> - an alternative solution might be to modify kamdbctl so that it just
> connects in read-only mode to make any checks, writes all the DDL
> statements to a file that the SIP admin can give to their DBA (or even
> if it is the same person, they may have a standalone MySQL box, and they
> don't want to install all of kamdbctl on that box)
> 

I would suggest you open a few bug reports on these issues so the developers
can look at it. If you already have code, you can submit it there as well.

Thanks!
/O

More information about the sr-dev mailing list