[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Linphone-developers] ZRTP and TLS
From: |
Alexander Kraemer |
Subject: |
Re: [Linphone-developers] ZRTP and TLS |
Date: |
Thu, 16 Jan 2020 08:22:40 -0800 (PST) |
It is better to use hardened endpoints and servers implementing:
1) (application layer security with )
TLS1.3 to initiate a client-(flexi-sip)-server authorization preferably with
your own CA (Certificate Authority) and client cert's ,
2)( e2e encryption with)
zrtp to establish end2end encryption between clients,
3) ( network layer security )
to tunnel the client server client traffic through protonvpn.com secure-core.
----- Original Message -----
From: Greg Troxel <address@hidden>
Sent: 01/14/2020 - 16:53
To: Werner Dittmann <address@hidden>
Subject: Re: [Linphone-developers] ZRTP and TLS
> Werner Dittmann <address@hidden> writes:
>
>> Actually, if you use ZRTP then there is no need to use TLS for SIP because
>> ZRTP negotiates
>> it's keys inband end-to-end using RTP over UDP. This is the main difference
>> to SDES where the
>> key parameters are embedded within SIP headers and thus you must run SIP
>> over TLS.
>
> I see the point that TLS is not needed for ZRTP to protect the contents.
> But it's still necessary to protect the signalling channel, so that
> passive eavesdroppers cannot steal the SIP login credentials.
>
> I don't understand the notion of not using TLS, assuming it is feasible.
>
> _______________________________________________
> Linphone-developers mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/linphone-developers