Most H.323 vendors did not implement encrypting the signaling connection with TLS. They only encrypt the media (RTP). But you can use the two GNU Gatekeepers to encrypt you call signaling even when your endpoints don't support this natively.

Suppose you have 2 locations and want to connect them securely over the public internet.

GnuGk can encrypt call signalling between those locations using TLS and encrypt the media (RTP) using H.235.6 (AES encryption). 

 Configuration for GNU Gatekeeper 1 (prefix 01)

 

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1

[Proxy]
Enable=1

[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED

[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS

[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 02
1.2.3.4:1300=remote-gw;02

[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 

Configuration for GNU Gatekeeper 2 (prefix 02)

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1

[Proxy]
Enable=1

[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED

[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS

[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 01
1.2.3.5:1300=remote-gw;01

[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 

Other options

You could also configure the remote GNU Gatekeeper as a neighbor, but beware that the RAS traffic between neighbors will show meta data (whois is caling who) in clear text! 

See the GnuGk manual section on TLS for more details and examples how to generate the OpenSSL certificates. 

 

Posted by Dave Aitel via Dailydave on Oct 31

The Anatomy of Compromise

One of my demented hobbies is watching old infosec talks and then seeing
how well they hold up to modern times. Recently I excavated Metlstorm's
2017 BSides Canberra
<https://www.youtube.com/watch?v=OjgvP9UB9GI&list=TLGGvAY1CcIr-AcyNjEwMjAyNA>
talk on "How people get hacked" - a pretty generic topic that gives a lot
of room for opinion, and one a lot of people have opined on, but the talk
itself...

If you connect to a FTP/TLS server that is configured to use implicit FTP/TLS, FILENAME FTP/TLS might fail with the following error:

In most vertebrates, a pattern of chemical marks on the genome is a reliable indicator of age, but in axolotls this clock seems to stop after the first four years of life

"Harden SSL/TLS" hardens the default SSL/TLS settings of Windows 2000,2003,2008,2008R2, XP,Vista,7. It allows you to remotely set SSL/TLS policies allowing or denying certain ciphers/hashes or complete ciphersuites.

TRỰC TIẾP CĐT BITEXCO, SHOPHOUSE - BIỆT THỰ DỰ ÁN THE MANOR NGUYỄN XIỂN, CK 12%, 4 CÂY VÀNG, HTLS 0%.1. Tổng quan: - Tên dự án: The Manor Central Park. - Chủ đầu tư: Tập đoàn Bitexco. - Vị trí: Nguyễn Xiển, Hoàng Mai, Hà Nội. - Tư vấn và thiết kế: EE&K công ty Carlos Zapata. - Tổ...

We put Caddy 2.0.0 head to head against a ranking heavyweight, Apache 2.4.41.

Imports - Steelmaking & Ferroalloying Mtls. (Census) in the United States increased to 614 USD Million in March from 584.25 USD Million in February of 2020. Imports - Steelmaking & Ferroalloying Mtls. (Censu in the United States averaged 418.74 USD Million from 1989 until 2020, reaching an all time high of 1213.75 USD Million in August of 2008 and a record low of 5.37 USD Million in March of 2015. This page includes a chart with historical data for the United States Imports of Steelmaking & Ferroalloying Mtls.