[SIP Beyond VoIP] Sylkserver - authentication against an IMAP server

[Bibo]

Hello,

I leave some comments about auth patches and its security:

> We totally agree that sending the plaintext password over ws is a inferior solution if you use sip. unfortunately, to implement any other authentication without even more changes, we need this. therefore we create a configurable client and sylkrtc.js which by default sends ha1 but can be changed to send plain passwords. see patches sylkrtc-ha1-conditional.patch and sylk-webrtc-ha1-conditional.patch.

A solution using clear-text password could be implemented
as long as it could be sent trough TLS/SSL, (according to rfc2595)
In addition, it could be reinforced with an extra authentication mechanism,
for example, a clear-text password accompanied by a set of bytes as a challenge.

More specifically, it should be TLS/SSL version 1.3, be certain of cert does not expire,
and a reinforcement is strongly recommended, because of IMAP vulnerabilities.

Greetings!
Bibo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ag-projects.com/pipermail/sipbeyondvoip/attachments/20200416/ccc7c716/attachment.htm>