If you didn’t already know, both SIP and HTTP share the same digest authentication mechanism described all the way back in RFC-2069 “An Extension to HTTP : Digest Access Authentication”. At the time, the only generally supported digest algorithm was MD5 but that algorithm has been deemed “cryptographically broken and unsuitable for further use” since around 2010. In 2015, with the publishing of RFC-7616, the much-more-secure SHA-256 and SHA-512-256 algorithms have been added to the mix. Even so, support for those algorithms in the SIP ecosystem has been spotty at best. Finally though, with the releases of Asterisk 22.2.0, 21.7.0 and 20.12.0, those algorithms are fully supported for authentication with the chan_pjsip channel driver when acting both as a SIP client and server. There are some caveats however… pjproject version 2.15.1 or greater is required (that version is now the official bundled version) and OpenSSL version >= 1.0.0 is required for SHA-256 and OpenSSL version >= 1.1.1 is required for SHA-512-256. To be honest, if you’re running an OpenSSL version < 1.1.1, continuing to use the MD5 algorithm is the least of your problems :). Of course, the SIP peer you’re connecting to must also support the algorithm.
The addition of the new algorithms has required changes to the PJSIP “auth” object configuration which are described in more detail in the “PJSIP Authentication” page on the Asterisk documentation site. In a nutshell though, you can separately configure which algorithms to use when an auth object is acting as a client or a server and you can now specify credentials pre-hashed with MD5, SHA-256 and SHA-512-256. You can also set a default list of supported client and server algorithms in the PJSIP “global” object which means you can easily have all auth objects support the new algorithms with the addition of two lines to the “global” config.
As mentioned, full details are available in the “PJSIP Authentication” page on the Asterisk documentation site.
We’d be interested to know how many of your peers or devices also support the new algorithms.
The post Asterisk now supports the SHA-256 and SHA-512-256 SIP authentication digest algorithms appeared first on Asterisk.
Other Articles
Get 3CX Certified this March: Webinar Schedule
No Comment! Be the first one.