<div dir="ltr">Hi Daniel,<div><br></div><div>I'm also using letsencrypt since their beta program.</div><div>The only issue I see is that the certs expire after 90 days, which means you will have to manually change them before those 90 days are up.</div><div>They have an automated process to get new certs and insert them in the correct virtual hosts in apache, but I doubt they have any kamailio automation setup yet.</div><div><br></div><div>Besides that, which is no big deal, just takes more time until someone writes a script to automate the kamailio process of requesting new certs and replacing the expired ones, I'm a big fan of Letsencrypt and I recommend it to anyone that takes security seriously and doesn't want to participate in enriching the CA "mafia".</div><div><br></div><div>Cheers,</div><div>Peter</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 8, 2015 at 8:06 AM, Daniel-Constantin Mierla <span dir="ltr"><<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
during the past few days I made some updates related to the security<br>
aspects of <a href="http://kamailio.org" rel="noreferrer" target="_blank">kamailio.org</a> services.<br>
<br>
Two are relevant for the community.<br>
<br>
1) First, <a href="http://kamailio.org" rel="noreferrer" target="_blank">kamailio.org</a> uses now a TLS certificate signed by<br>
<a href="http://letsencrypt.org" rel="noreferrer" target="_blank">letsencrypt.org</a>, a free trusted CA backed up by Mozilla and other<br>
internet companies, so browsing via HTTPS should no longer issue any<br>
warning of untrusted certificate (previously we used a CACert.org<br>
certificate which was not trusted automatically by browsers).<br>
<br>
Wiki and mailing lists portals use the letsencrypt certificate as well,<br>
so is no reason not to browse all <a href="http://kamailio.org" rel="noreferrer" target="_blank">kamailio.org</a> and <a href="http://lists.sip-router.org" rel="noreferrer" target="_blank">lists.sip-router.org</a><br>
pages only via HTTPS. Perhaps in the near future we will try to enable<br>
redirect of HTTP to HTTPS at least for the main page and login pages for<br>
wiki, mailing lists and other places that require sensitive data.<br>
<br>
Now SSLLabs test ranks <a href="https://kamailio.org" rel="noreferrer" target="_blank">https://kamailio.org</a> with grade A:<br>
<br>
* <a href="https://www.ssllabs.com/ssltest/analyze.html?d=kamailio.org&latest" rel="noreferrer" target="_blank">https://www.ssllabs.com/ssltest/analyze.html?d=kamailio.org&latest</a><br>
<br>
As a side note, for those that haven't noticed it, for quite some time<br>
<a href="http://kamailio.org" rel="noreferrer" target="_blank">kamailio.org</a> is available also over IPv6.<br>
<br>
2) Second, emails forwarded by <a href="http://kamailio.org" rel="noreferrer" target="_blank">kamailio.org</a> and <a href="http://lists.sip-router.org" rel="noreferrer" target="_blank">lists.sip-router.org</a> are<br>
having now a DKIM signature. Also, there are SPF records in DNS for<br>
these domains. Hopefully, those two will help getting the emails to be<br>
allowed by various spam filters out there, as their legit origin can be<br>
checked.<br>
<br>
If you check the sources of an email messages and the email server of<br>
receiving party is doing DKIM/SPF checks, you should see some headers<br>
like next (taken from an email I received to my gmail account from<br>
sr-users mailing list):<br>
<br>
"""<br>
Authentication-Results: <a href="http://mx.google.com" rel="noreferrer" target="_blank">mx.google.com</a>;<br>
spf=pass (<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a>: domain of <a href="mailto:sr-users-bounces@lists.sip-router.org">sr-users-bounces@lists.sip-router.org</a> designates 193.22.119.66 as permitted sender) smtp.mailfrom=<a href="mailto:sr-users-bounces@lists.sip-router.org">sr-users-bounces@lists.sip-router.org</a>;<br>
dkim=pass header.i=@<a href="http://lists.sip-router.org" rel="noreferrer" target="_blank">lists.sip-router.org</a><br>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=<a href="http://lists.sip-router.org" rel="noreferrer" target="_blank">lists.sip-router.org</a>; s=20151206;<br>
h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Reply-To:Subject:MIME-Version:Message-ID:To:From:Date; bh=lGjvCZYcxBHUHaJDnut1j2YTyPsXTnXHzUb0CgcDc1Q=;<br>
b=DlD+MKoEqyISB5Ba775t3zg70FC6ouC+tEo7j5zv4dn2Dhm4pWqkQXSfU4Kp1NqW1ZRYFC/mpg/7LEcGW2FlDL9J0FpUg1VjNmN7D1wvtW08hBBw91tsXImu9yf7KZjg/p4IbXu6vznldubrSxweIaV3q/xbrLgaqP5Dsrvs/9A=;<br>
"""<br>
<br>
Kamailio is not enforcing any of those policies on received email<br>
messages, so sending to the lists should not be affected.<br>
<br>
Should anyone discover problems when browsing the web portals or notices<br>
issues with emails from our mailing lists, report them to sr-dev mailing<br>
list.<br>
<br>
Also, if anyone has more hints on increasing the security/privacy for<br>
the web server and email systems we run for <a href="http://kamailio.org" rel="noreferrer" target="_blank">kamailio.org</a>, do not<br>
hesitate to provide us suggestions.<br>
<br>
Cheers,<br>
Daniel<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Daniel-Constantin Mierla<br>
<a href="http://twitter.com/#!/miconda" rel="noreferrer" target="_blank">http://twitter.com/#!/miconda</a> - <a href="http://www.linkedin.com/in/miconda" rel="noreferrer" target="_blank">http://www.linkedin.com/in/miconda</a><br>
Book: SIP Routing With Kamailio - <a href="http://www.asipto.com" rel="noreferrer" target="_blank">http://www.asipto.com</a><br>
<a href="http://miconda.eu" rel="noreferrer" target="_blank">http://miconda.eu</a><br>
<br>
<br>
_______________________________________________<br>
sr-dev mailing list<br>
<a href="mailto:sr-dev@lists.sip-router.org">sr-dev@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev" rel="noreferrer" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a><br>
</font></span></blockquote></div><br></div>