[h323implementers] [Openh323gk-users] [Openh323gk-developer] Thoughts on H.323 encryption or Why your AES encryption might be worth nothing

Jan Willamowius jan at willamowius.de
Mon Sep 23 09:09:41 EDT 2013


Simon Perreault wrote:
> Le 2013-09-23 13:25, Hani Mustafa a écrit :
> > Most vendors (including aforementioned vendors) have mostly just hoped
> > that the entire industry is going to move to SIP and also placed their
> > bets there, hoping that all the security problems with H.323
> > authentication would go away.
>
> [...]
>
> As long as nobody verifies TLS certificates, I don't see how the
> situation can change for either SIP or H.323.

Exactly my point: Lets use TLS and check the certificates as closely as
we can.

GnuGk currently checks the certificates signature (either against your
own CA or the public CAs you configure) and can also check if the IP
the call comes from matches the certificate.

Everybody is invited to check the source code if I do it right and is
encouraged to implement similar checks in other endpoints, gateways or
gatekeepers!

See Toolkit::MatchHostCert() in Toolkt.cxx
http://openh323gk.cvs.sourceforge.net/viewvc/openh323gk/openh323gk/Toolkit.cxx?view=log

Regards,
Jan

-- 
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail  : jan at willamowius.de
Website: http://www.gnugk.org
Support: http://www.willamowius.com/gnugk-support.html

Relaxed Communications GmbH
Frahmredder 91
22393 Hamburg
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
USt-IdNr: DE286003584




More information about the h323implementers mailing list