[sr-dev] git:master:4e9f49a5: tls: docs - relocated the note about krand and fastrand from default value paragraph

Daniel-Constantin Mierla miconda at gmail.com
Mon Oct 7 16:00:48 CEST 2019


Hello,

I wanted to take the version of docs from master in order to be able to
cherry-pick in the future.

That's the reason most of the commits for documentation are done
separate of the one for code, to be easy to cherry-pick one or the other
based on the needs and reduce the risk of conflicts. But in this case,
you did the documentation and code in a single commit.

As I wanted to copy&paste, first I notice it was in the default value
paragraph, which is typically standalone and short, referring only to
default value.

Then I rephrased because the "production" term is mainly used for
"stability" (as in production-ready code) and I wanted to be clear that
is not about code stability, but strong security (encryption). At the
end UDP is still the most used transport protocol for SIP even these
days, with 0 encryption (and security level from that point of view). So
it is fine to use it in production if one doesn't want strong security.
Feel free to add more details there to make it clear from your point of
view, but it is not something that cannot be used in production.

Cheers,
Daniel

On 07.10.19 15:31, Henning Westerholt wrote:
> Hi Daniel,
>
> thank you for integrating the changes in the stable branches, I could 
> have done it later as well.
>
> One remark about the README change - in my opinion the krand and 
> fastrand should not used in production. They will generate to weak 
> random numbers. Refer for example to this wikipedia summary:
>
> https://en.wikipedia.org/wiki/Random_number_generator_attack#Prominent_examples
>
> Many systems were broken by using insufficient random number generators.
>
> So I think the documentation should indicate this as well.
>
> Cheers,
>
> Henning
>
> Am 07.10.19 um 15:11 schrieb Daniel-Constantin Mierla:
>> Module: kamailio
>> Branch: master
>> Commit: 4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9
>> URL: https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9
>>
>> Author: Daniel-Constantin Mierla <miconda at gmail.com>
>> Committer: Daniel-Constantin Mierla <miconda at gmail.com>
>> Date: 2019-10-07T15:07:41+02:00
>>
>> tls: docs - relocated the note about krand and fastrand from default value paragraph
>>
>> - rephrased a bit to avoid eventual confusion they are not production ready
>>
>> ---
>>
>> Modified: src/modules/tls/doc/params.xml
>>
>> ---
>>
>> Diff:  https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9.diff
>> Patch: https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9.patch
>>
>> ---
>>
>> diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml
>> index 72d3278ed7..dc6494c2db 100644
>> --- a/src/modules/tls/doc/params.xml
>> +++ b/src/modules/tls/doc/params.xml
>> @@ -1259,13 +1259,16 @@ end
>>   	<itemizedlist>
>>   		<listitem><para>krand - use internal kam_rand() function</para></listitem>
>>   		<listitem><para>fastrand - use internal fastrand function</para></listitem>
>> -		<listitem><para>cryptorand - use internal cryptorand function</para></listitem>
>> +		<listitem><para>cryptorand - use internal cryptorand (fortuna) function</para></listitem>
>>   	</itemizedlist>
>> +	<para>
>> +		Note: the krand and fastrand engines are not recommended for use on
>> +		systems requiring strong security, as they may not generate numbers
>> +		with enough randomness.
>> +	</para>
>>   	<para>
>>   		The default value is empty (not set) for libssl v1.0.x or older, and
>> -		"cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines are
>> -		not recommended for production use, as they will not generate secure enough
>> -		random numbers.
>> +		"cryptorand" for libssl v1.1.x or newer.
>>   	</para>
>>   	<example>
>>   	    <title>Set <varname>rand_engine</varname> parameter</title>
>>
>>
>> _______________________________________________
>> Kamailio (SER) - Development Mailing List
>> sr-dev at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat




More information about the sr-dev mailing list