[sr-dev] DMQ security
Charles Chance
charles.chance at sipcentric.com
Thu Oct 31 15:03:36 CET 2013
On 31 October 2013 13:12, Peter Dunkley <peter.dunkley at crocodilertc.net>wrote:
> In my opinion being able to choose to use DMQ over TCP, TLS, or UDP
> through setting the ";transport=" URI parameter in the modparams, and being
> able to validate the TLS certificate in the configuration file (in the same
> way as you do for all other traffic) is a good solution. Flexibility is
> good and TLS isn't always necessary and doesn't have to be used. It should
> be easy to use TLS when you want and easy to not use it when you want, and
> no-one (however well intentioned) should ever be able to force me to build
> my network by their rules. Also, this will mean that any future TLS
> enhancements (for example, validation of certificate on outgoing messages
> and DANE) will automatically be picked up too.
>
>
This has been added already (locally, not yet pushed).
> DMQ is a very advanced module and I don't think there should be too much
> concern over students who can't edit config files. If they can't work that
> out they are never going to be able to use Kamailio properly anyway. The
> fact that Kamailio is "hard" is a necessary function of its flexibility -
> it is because Kamailio doesn't do anything clever by default that makes it
> so powerful (because you can have full control over all the behaviour).
>
> And none of this stops a teacher providing their students with good
> example configuration files for things like DMQ that do all of these things
> properly. Or even providing configuration file libraries (using
> "import_file" and check_route_exists()/route_if_exists()) that do all of
> the right stuff for them.
>
>
I guess there will always be two very distinct camps, and long may the
discussion continue, but ultimately it is beyond the scope of DMQ alone. So
here lies the remaining question - regarding DMQ module specifically, for
now - is it acceptable to leave it up to the user now that they have a
choice of transport and therefore the ability to validate TLS certificates
if required?
Regards,
Charles
--
www.sipcentric.com
Follow us on twitter @sipcentric <http://twitter.com/sipcentric>
Sipcentric Ltd. Company registered in England & Wales no. 7365592. Registered
office: Unit 10 iBIC, Birmingham Science Park, Holt Court South, Birmingham
B7 4EJ.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20131031/3a9043f9/attachment.html>
More information about the sr-dev
mailing list