Quick update: The current CVS version can now add encryption to H.239 and data channels, too. Please give it a try and let me know how it works for you. Also, if you have endpoints capable of doing H.323 over TLS (h323s) or H.235.8 and would be willing to run a few interop tests, please contact me off-list. Regards, Jan Jan Willamowius wrote: > Hi, > > lately I'm getting a lot of questions how GnuGk can help to encrypt > communications. So here is a quick explanation how to configure GnuGk as > an encryption proxy to ensure that more or all outgoing calls are > encrypted, whether your endpoint support encryption themselves or not. > > First, enable "half call media" which means GnuGk will add encryption > if only one side of the call supports encryption. This will enable > encryption for those of your endpoints that might not support > encryption by themselves. You can also set if you want 128 or 256 bit > AES. (Check "h235media=1" in the startup message to make sure your GnuGk > has the encryption features enabled.) > > [RoutedMode] > EnableH235HalfCallMedia=1 > H235HalfCallMediaStrength=256 > > To make sure no call goes through without encryption, you can set > > [RoutedMode] > RequireH235HalfCallMedia=1 > > When you have this switch on, calls without encryption will be aborted. > > Finally, you can take precautions that its always the "outside" > connection that gets encryption added. The GnuGk feature is "half call > media" and you have to make sure its not only the internal half of the > call that gets encrypted. Thus you can remove the encryption from all > endpoint on your internal network and with the above settings GnuGk > will add encryption to all outgoing calls. > > [RoutedMode] > RemoveH235Call=192.168.1.0/24, 10.0.1.0/32 > > See secion 5.1 in the manual for more details on these settings. > http://www.gnugk.org/gnugk-manual-5.html#ss5.1 > > > This should do for now, but there is room for future improvement: > One important step would be encryption of signalling and H.245 > channels and the use of certificates to avoid man-in-the middle > attacks. Also, right now only audio and video is encrypted, we might > want to extend that to H.239 and data channels. So beware of these > limitations. > > Regards, > Jan > > -- > Jan Willamowius, Founder of the GNU Gatekeeper Project > EMail : jan@xxxxxxxxxxxxxx > Website: http://www.gnugk.org > Support: http://www.willamowius.com/gnugk-support.html ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
