Showing posts with label encryption. Show all posts
Showing posts with label encryption. Show all posts

Wednesday, January 13, 2021

Using the GNU Gatekeeper to create TLS tunnels

Most H.323 vendors did not implement encrypting the signaling connection with TLS. They only encrypt the media (RTP). But you can use the two GNU Gatekeepers to encrypt you call signaling even when your endpoints don't support this natively.

Suppose you have 2 locations and want to connect them securely over the public internet.

GnuGk can encrypt call signalling between those locations using TLS and encrypt the media (RTP) using H.235.6 (AES encryption). 


 Configuration for GNU Gatekeeper 1 (prefix 01)

 

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1

[Proxy]
Enable=1

[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED

[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS

[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 02
1.2.3.4:1300=remote-gw;02

[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 
 

Configuration for GNU Gatekeeper 2 (prefix 02)

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1

[Proxy]
Enable=1

[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED

[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS

[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 01
1.2.3.5:1300=remote-gw;01

[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 
 

Other options

You could also configure the remote GNU Gatekeeper as a neighbor, but beware that the RAS traffic between neighbors will show meta data (whois is caling who) in clear text! 

See the GnuGk manual section on TLS for more details and examples how to generate the OpenSSL certificates. 

 

Eingestellt von um
Labels: , , , , ,

Tuesday, January 28, 2014

H.323Plus 1.26 released

A new H323Plus is out: Version 1.26

  • it allows you to add TLS encryption to your endpoints (including H.460.22 capability negotiation)
  • it supports the upcoming H.235.6 with Diffie-Helman keys up to 8 KB length
  • there is support for media over TCP (H.460.26)
  • support for H.323v8 language features
If you have endpoints based on H323Plus (or OpenH323), I would encourage you to update to the latest library version and enable those new features!

H323Plus v1.26 of course also works great with GnuGk 3.5.

Download H323Plus 1.26 from h323plus.org.

Eingestellt von um
Labels: , , ,

Wednesday, January 8, 2014

Whats new in GnuGk 3.5 ? Part 1: New encryption features

Easier TLS configuration

H.323 encryption as implemented by virtually all commercial vendors is easily circumvented by Man-in-the-Middle attacks. So it is very important to secure at least your gatekeeper-to-gatekeeper signaling connections over the internet with TLS. See https://www.gnugk.org/h323-encryption.html for background information. (Its a bit like installing a huge lock and then leaving the key under the doormat for everybody to use.)

GnuGk can close this security hole by encrypting the signaling connection using TLS and verifying  the certificates of clients and servers.

With GnuGk 3.5, you don't have explicitly configure TLS for each partner. On all RAS connections GnuGk will use H.460.22 to signal support for TLS encryption and will automatically use it as when the partner supports it.

Stronger RTP encryption with larger keys

When the media encryption spec (H.235.6) was published by the ITU in 2005, it contained an error that prevents all vendors from using Diffie-Hellman tokens larger than 2048 bits. This error is being corrected by the ITU now and the new spec is about to be published.

GnuGk 3.5 supports the upcoming specification and can be configured to use AES256 with tokens of up to 8192 bits when you configure it to add media encryption to your calls.

Support for legacy authentication with DES-ECB

GnuGk 3.5 adds support for username / password authentication using the DES standard. This kind of authentication is very weak and should only be used for interoperability with old equipment that doesn't support anything else (eg. some Avaya endpoints).
Eingestellt von um
Labels: , , ,
Subscribe to: Posts (Atom)