[sr-dev] git:master:4e9f49a5: tls: docs - relocated the note about krand and fastrand from default value paragraph

Henning Westerholt hw at skalatan.de
Mon Oct 7 16:51:45 CEST 2019 

Hi Daniel,

Yes - I did it together in one commit as the two were tightly coupled. But this indeed made the backport difficult, was not intended - sorry.

Ok, I will probably add a bit of clarification to the README - understood your goal here.

Cheers,

Henning

-----Original Message-----
From: Daniel-Constantin Mierla <miconda at gmail.com> 
Sent: Monday, October 7, 2019 4:01 PM
To: Henning Westerholt <hw at skalatan.de>; Kamailio (SER) - Development Mailing List <sr-dev at lists.kamailio.org>
Subject: Re: [sr-dev] git:master:4e9f49a5: tls: docs - relocated the note about krand and fastrand from default value paragraph

Hello,

I wanted to take the version of docs from master in order to be able to cherry-pick in the future.

That's the reason most of the commits for documentation are done separate of the one for code, to be easy to cherry-pick one or the other based on the needs and reduce the risk of conflicts. But in this case, you did the documentation and code in a single commit.

As I wanted to copy&paste, first I notice it was in the default value paragraph, which is typically standalone and short, referring only to default value.

Then I rephrased because the "production" term is mainly used for "stability" (as in production-ready code) and I wanted to be clear that is not about code stability, but strong security (encryption). At the end UDP is still the most used transport protocol for SIP even these days, with 0 encryption (and security level from that point of view). So it is fine to use it in production if one doesn't want strong security.
Feel free to add more details there to make it clear from your point of view, but it is not something that cannot be used in production.

Cheers,
Daniel

On 07.10.19 15:31, Henning Westerholt wrote:
> Hi Daniel,
>
> thank you for integrating the changes in the stable branches, I could 
> have done it later as well.
>
> One remark about the README change - in my opinion the krand and 
> fastrand should not used in production. They will generate to weak 
> random numbers. Refer for example to this wikipedia summary:
>
> https://en.wikipedia.org/wiki/Random_number_generator_attack#Prominent
> _examples
>
> Many systems were broken by using insufficient random number generators.
>
> So I think the documentation should indicate this as well.
>
> Cheers,
>
> Henning
>
> Am 07.10.19 um 15:11 schrieb Daniel-Constantin Mierla:
>> Module: kamailio
>> Branch: master
>> Commit: 4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9
>> URL: 
>> https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310
>> 402acea7f5a3ca9
>>
>> Author: Daniel-Constantin Mierla <miconda at gmail.com>
>> Committer: Daniel-Constantin Mierla <miconda at gmail.com>
>> Date: 2019-10-07T15:07:41+02:00
>>
>> tls: docs - relocated the note about krand and fastrand from default 
>> value paragraph
>>
>> - rephrased a bit to avoid eventual confusion they are not production 
>> ready
>>
>> ---
>>
>> Modified: src/modules/tls/doc/params.xml
>>
>> ---
>>
>> Diff:  
>> https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310
>> 402acea7f5a3ca9.diff
>> Patch: 
>> https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310
>> 402acea7f5a3ca9.patch
>>
>> ---
>>
>> diff --git a/src/modules/tls/doc/params.xml 
>> b/src/modules/tls/doc/params.xml index 72d3278ed7..dc6494c2db 100644
>> --- a/src/modules/tls/doc/params.xml
>> +++ b/src/modules/tls/doc/params.xml
>> @@ -1259,13 +1259,16 @@ end
>>   	<itemizedlist>
>>   		<listitem><para>krand - use internal kam_rand() function</para></listitem>
>>   		<listitem><para>fastrand - use internal fastrand function</para></listitem>
>> -		<listitem><para>cryptorand - use internal cryptorand function</para></listitem>
>> +		<listitem><para>cryptorand - use internal cryptorand (fortuna) 
>> +function</para></listitem>
>>   	</itemizedlist>
>> +	<para>
>> +		Note: the krand and fastrand engines are not recommended for use on
>> +		systems requiring strong security, as they may not generate numbers
>> +		with enough randomness.
>> +	</para>
>>   	<para>
>>   		The default value is empty (not set) for libssl v1.0.x or older, and
>> -		"cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines are
>> -		not recommended for production use, as they will not generate secure enough
>> -		random numbers.
>> +		"cryptorand" for libssl v1.1.x or newer.
>>   	</para>
>>   	<example>
>>   	    <title>Set <varname>rand_engine</varname> parameter</title>
>>
>>
>> _______________________________________________
>> Kamailio (SER) - Development Mailing List sr-dev at lists.kamailio.org 
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev

--
Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat

More information about the sr-dev mailing list