[SIP Beyond VoIP] Sylkserver - authentication against an IMAP server
Valentin Kleibel
valentin at vrvis.at
Mon Apr 20 13:51:14 CEST 2020
Hello,
Thank you for your suggestions.
> I leave some comments about auth patches and its security:
>
>> We totally agree that sending the plaintext password over ws is a inferior solution if you use sip. unfortunately, to implement any other authentication without even more changes, we need this. therefore we create a configurable client and sylkrtc.js which by default sends ha1 but can be changed to send plain passwords. see patches sylkrtc-ha1-conditional.patch and sylk-webrtc-ha1-conditional.patch.
>
> A solution using clear-text password could be implemented
> as long as it could be sent trough TLS/SSL, (according to rfc2595)
> In addition, it could be reinforced with an extra authentication mechanism,
> for example, a clear-text password accompanied by a set of bytes as a challenge.
>
> More specifically, it should be TLS/SSL version 1.3, be certain of cert does not expire,
> and a reinforcement is strongly recommended, because of IMAP vulnerabilities.
I totally agree with you, that the password must be sent over an
encrypted channel.
In the front end this should be achieved by the users' browser. No
modern browser should let you send a password over an unencrypted
channel. So, as long as the webserver for the sylk-webrtc deployment
uses a secure ssl configuration we are fine.
At this point the password was safely transferred from the user to
sylkserver.
My current implementation uses an ssl connection, but you're right this
is not enough.
I assumed that the python imaplib would validate the certificate, but it
doesn't. [1] [2]
We adapted the path to check for a valid certificate on the imap server.
Regards,
Valentin
[1] https://docs.python.org/2/library/imaplib.html#imaplib.IMAP4_SSL
[2]
https://stackoverflow.com/questions/9713055/certificate-authority-for-imaplib-and-poplib-python#9724940
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sylkserver-auth-imap-async-ssl.patch
Type: text/x-patch
Size: 9840 bytes
Desc: not available
URL: <http://lists.ag-projects.com/pipermail/sipbeyondvoip/attachments/20200420/a82ab635/attachment.bin>
More information about the SIPBeyondVoIP
mailing list