[SR-Users] Susceptibility to POODLE Vulnerability?
Daniel-Constantin Mierla
miconda at gmail.com
Tue Oct 21 16:34:43 CEST 2014
As we had a note about sslv2 not being recommended when security is
wanted, I put the same note for sslv3. It could be useful for new comers
in the field.
Cheers,
Daniel
On 21/10/14 08:34, Olle E Johansson wrote:
>
>
> Rainer Piper skrev 2014-10-21 08:30:
>> Am 21.10.2014 um 08:20 schrieb Olle E Johansson:
>>>
>>>>>
>>>>> !!! *a warning **that the use of SSLv3 **susceptibility to POODLE
>>>>> Vulnerability* !!!
>>>>>
>>> Well, since Poodle requires a web browser and java script we're not in
>>> danger from a Poodle attack. Even so, we are not enabling SSL by
>>> default, only enabling TLS. All versions of SSL are too old to be
>>> secure. We can not add a warning text for every possible attack,
>>> but have published information on twitter, facebook, G+ and
>>> on the mailing lists.
>>>
>>> Are we aware of any phones or SIP servers that only supports SSLv3
>>> and have no support of TLS?
>>>
>>> /O
>>>
>
>>
>> source: http://downloads.asterisk.org/pub/security/AST-2014-011.html
>>
>> you have to force asterisk to do TLSv1
>> the defaults settings allowing a SSLv3/SSLv2 fallback.
>
> Yes, I am aware of that (and took part in the process). It's the same
> as what Kamailio does if you check the default configuration.
>
> As a second step we will have to modify our defaults in the code (like
> Asterisk).
>
> /O
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
More information about the sr-users
mailing list