| Summary: | ASTERISK-24425: [patch] jabber/xmpp to use TLS instead of SSLv3, security fix POODLE (CVE-2014-3566) | ||
| Reporter: | abelbeck (abelbeck) | Labels: | Security |
| Date Opened: | 2014-10-16 11:09:05 | Date Closed: | 2014-10-20 09:12:35 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_jabber Resources/res_xmpp |
| Versions: | SVN 1.8.31.0 11.13.0 | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | AstLinux with Prosody 0.9.6 | Attachments: | ( 0) AST-2014-011-1.8.diff ( 1) AST-2014-011-11.diff ( 2) AST-2014-011-12.diff ( 3) asterisk-1.8-jabber-tls.patch ( 4) asterisk-11-jabber-xmpp-tls.patch |
| Description: | Asterisk's Jabber and XMPP implementations strictly use SSLv3, which has the POODLE (CVE-2014-3566) security issue.
The attached patches force a TLS method instead of SSLv3. Full disclosure, this is my first forte into OpenSSL specifics and my knowledge is all from online research. There may be a better way. This works in my limited testing. | ||
| Comments: | By: abelbeck (abelbeck) 2014-10-16 11:10:29.146-0500 jabber/xmpp patches to use TLS instead of SSLv3 By: opsmonitor (jiraasterisk@encryptedmail.mx) 2014-10-18 13:24:23.334-0500 You patch saved the day. After looking for an possible jabber server problem, or openssl version issue after a yum update, I was suspecting asterisk and found this patch to be working fine. Environment: Centos 7 kernel 2.6.32-431.29.2.el6.x86_64 #1 SMP openssl-1.0.1e-30.el6_5.2.x86_64 openssl-devel-1.0.1e-30.el6_5.2.x86_64 By: Matt Jordan (mjordan) 2014-10-19 14:30:53.728-0500 This is, thankfully, the only place in Asterisk that has this problem. You _can_ configure {{chan_sip}} (or other modules) to use SSL, but that's a configuration choice and not something enforced in the code. Given the nature of this, we'll be pushing the patch through ASAP and perform a point release of the affected branches. Thanks for the contribution! By: Matt Jordan (mjordan) 2014-10-19 14:52:35.726-0500 I will note that the core {{tcptls}} code defaults to fallback, which is vulnerable to POODLE. So that will have to be updated as well. By: Matt Jordan (mjordan) 2014-10-19 15:39:32.270-0500 In order to limit further exposure of this vulnerability, I've restricted this issue to Reporter and Bug Marshals at this time. We will unrestrict the issue tomorrow when the vulnerability is patched. | ||