[SR-Users] Susceptibility to POODLE Vulnerability?
Olle E Johansson
oej at edvina.net
Tue Oct 21 08:34:29 CEST 2014
Rainer Piper skrev 2014-10-21 08:30:
> Am 21.10.2014 um 08:20 schrieb Olle E Johansson:
>>
>>>>
>>>> !!! *a warning **that the use of SSLv3 **susceptibility to POODLE
>>>> Vulnerability* !!!
>>>>
>> Well, since Poodle requires a web browser and java script we're not in
>> danger from a Poodle attack. Even so, we are not enabling SSL by
>> default, only enabling TLS. All versions of SSL are too old to be
>> secure. We can not add a warning text for every possible attack,
>> but have published information on twitter, facebook, G+ and
>> on the mailing lists.
>>
>> Are we aware of any phones or SIP servers that only supports SSLv3
>> and have no support of TLS?
>>
>> /O
>>
>
> source: http://downloads.asterisk.org/pub/security/AST-2014-011.html
>
> you have to force asterisk to do TLSv1
> the defaults settings allowing a SSLv3/SSLv2 fallback.
Yes, I am aware of that (and took part in the process). It's the same as
what Kamailio does if you check the default configuration.
As a second step we will have to modify our defaults in the code (like
Asterisk).
/O
More information about the sr-users
mailing list