[Bug 25972] New: SIP2 server doesn't have a TLS/SSL-enabled listener
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 Bug ID: 25972 Summary: SIP2 server doesn't have a TLS/SSL-enabled listener Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: SIP2 Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org CC: colin.campbell@ptfs-europe.com I'm not super familiar with SIP2, but I don't see why we couldn't have a TLS/SSL-enabled listener for the SIP2 server. Most people use stunnel to secure their SIP2 server, but why not build in TLS/SSL support directly? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=25965 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 --- Comment #1 from Colin Campbell <colin.campbell@ptfs-europe.com> --- SIP2 predates SSL - In the log in process there is a field to indicate what encryption is used but no specified values. To my knowledge no supplier of SIP devices is currently offering SSL at the client end. The Net::Server module used to handle the comms end does have SSL support so it should be possible to do this without too much effort. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- (In reply to Colin Campbell from comment #1)
SIP2 predates SSL - In the log in process there is a field to indicate what encryption is used but no specified values. To my knowledge no supplier of SIP devices is currently offering SSL at the client end.
I was wondering about that. Something on the client end must be negotiating the SSL connection to stunnel though. Or are SIP devices connecting to a proxy server on the LAN and then that proxy server securely connects to the Koha server running stunnel?
The Net::Server module used to handle the comms end does have SSL support so it should be possible to do this without too much effort.
That was my observation as well. The main reason I thought about this was because the amount of work that Bug 25965 would take and how surely having a built-in SSL listener would be better... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |magnus@libriotech.no -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 --- Comment #3 from Magnus Enger <magnus@libriotech.no> ---
it should be possible to do this without too much effort.
That sounds promising ;-) Having a little look at this, but it feels like it is a little bit above me... I found this code, where we pass params from $config->{'server-params'} to ->run: if (defined($config->{'server-params'})) { while (my ($key, $val) = each %{$config->{'server-params'}}) { push @parms, $key . '=' . $val; } } __PACKAGE__ ->run(@parms); https://git.koha-community.org/Koha-community/Koha/src/branch/master/C4/SIP/...
From https://metacpan.org/pod/Net::Server::Proto::SSL#SYNOPSIS it looks like SSL is just a question of doing this:
main->run( proto => 'ssl', SSL_key_file => "/path/to/my/file.key", SSL_cert_file => "/path/to/my/file.crt", ); Could this mean that enabling SSL is as simple as adding proto, SSL_key_file and SSL_cert_file to the <server-params> in the SIPconfig.xml? Or are there more adjustments that are needed somewhere? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to Magnus Enger from comment #3)
Could this mean that enabling SSL is as simple as adding proto, SSL_key_file and SSL_cert_file to the <server-params> in the SIPconfig.xml? Or are there more adjustments that are needed somewhere?
I'd have to look into it more. But I don't think that this is something I'm likely to work on. stunnel works well especially in a more centralized reverse proxy setup, so it's a good tool to use. After talking with more hardware vendors, it seems like stunnel is often used on the client side as well. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com --- Comment #5 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- In our experience, SIP2 clients still don't support this in the vast majority of cases.. we encourage all our customers to use stunnel and that's working well. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 --- Comment #6 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to Martin Renvoize from comment #5)
In our experience, SIP2 clients still don't support this in the vast majority of cases.. we encourage all our customers to use stunnel and that's working well
Similar/same for us afaikt. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25972 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Closing this one as stunnel works well enough on both server and client side. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org