FreePBX Master Key Update

Hey All,

A few weeks ago, you may have received notification about a security update to add support for an additional FreePBX master key. A few of you asked us “what is this for?” or “what does this mean for FreePBX?”

TLDR

  • Increase the size of the master key, in order to keep current with security best practices
  • New key provides a faster, more reliable public key infrastructure lookups
  • Invite 3rd party developers with existing signing keys to get their keys re-signed with the new master key

Security

For those that are not familiar with the way that FreePBX uses GPG keys, they are used to cryptographically sign FreePBX modules that are to be installed on a PBX system. As with modern operating systems, the module installer verifies that the modules have been distributed by an authorized source, i.e. the one that owns the FreePBX master key.

This also allows FreePBX to verify that modules have not been tampered with by potential bad actors (such as hackers, for one example) trying to modify the module code to (for instance) insert backdoors into the system. All in all, it’s a very strong “net positive” from a system security perspective and allows administrators to better trust that their FreePBX systems are not compromised.

GPG Master Key Size

Over the years, the standard best practices encouraged administrators to increase the cryptographic key size. We have chosen to increase our key size to 4KB which is inline with more current best practices.

GPG Key Infrastructure

FreePBX utilized the public key infrastructure for verification of 3rd-party-developers’ keys in order to ensure that they were signed by the FreePBX Master key, which is owned by Sangoma.

Infrastructure such as this can be susceptible to external attacks. That kind of an attack could result in a Sangoma public master key “poisoning”, as it’s called. While the word “poison” sounds scary, it does not mean that the key was lost or compromised – it just means that FreePBX module signature verification could take an inexplicably long time or potentially time out due to FreePBX being unable to retrieve the public key from a key server.

In order to work around this problem, FreePBX developers chose to bypass usage of the public key infrastructure by bundling the public side of the FreePBX master key with the FreePBX distribution, effectively making poisoning a non-issue.

What about the old key?

A few of you have seen comments/posts from 3rd parties not affiliated with Sangoma, that claimed or speculated that Sangoma was going to cancel the old key. Comments from sources outside of Sangoma, about what Sangoma may be planning are probably not reliable, so if you ever have any questions or concerns about something of this nature, please contact me or Jared Smith.

We understand that deprecating the old signing key would be very disruptive to the FreePBX community. Thus, there are no current plans at Sangoma to deprecate the old master key. If circumstances in the future change, it would be done in such a way to minimize disruption.

FreePBX modules signed with the old master key and the 3rd-party-signed developer keys will continue to work.

But we do strongly encourage developers with existing signed keys to reach out to us at code@sangoma.com to have their keys re-signed with the new more secure master key. We also invite any new open source module developers that want to have their keys signed to reach out to us as well.

Separately from the key updates, Sangoma is even exploring ways to offer 3rd party developers access to building and distributing commercial modules. We’ve been asked this a few times over the years and know that historically it was challenging for developers and companies to do so. So we see this as one of the areas we may be able to improve upon and be more flexible, under commercial agreement.

As good stewards of the FreePBX project, Sangoma is working hard to improve and maintain security while offering innovative ways for developers and customers to continue to work with us even more closely and cooperatively in the future.

I would like to conclude by thanking everyone who is involved in pushing the project forward. This includes those of you that help to answer questions in the community forums, submit wiki documentation, contributing patches to the codebase, and any other way you might be contributing. Each person’s efforts in doing so is vital for the life and success of the project.

I wish all of you the best, and look forward to any questions you might have.

Introducing Open Source Pro Tips Video Series

We all know that documentation is very important when you are in need of assistance for anything and everything. Our support and engineering teams have always been there for our community with loads of documentation available at wiki.sangoma.com. But we want to do even more!

We know that a lot of times a screenshot of a Web GUI config or of a command line snippet can help a lot more than just words on a wiki page. So, what’s even better than an image? A video!

Our support team has huddled together to create a brand new video series that we’re calling Open Source Pro Tips. This video series is designed to help you with all your Asterisk, FreePBX and open source questions, concerns or just general information. Each video will cover a topic most requested by our community and be delivered by one of our experts from our support or engineering teams. There will be one video released each month on our YouTube channel and FreePBX Video Library, as well as our social media accounts (so make sure you follow us too).

Join us in watching the very first video of the Open Source Pro Tips series, FreePBX – First steps after installation!

Leap into the New Year with Our FreePBX Merchandise Store!

For all our community members of FreePBX, Asterisk and open source we thank you for your commitment and contributions. We appreciate your passion for this industry and we want to provide you with yet another way to express it.

We’ve just launched a line of apparel and merchandise which focuses on FreePBX, Asterisk and all things open-source. We plan on giving away various of these items at the shows and conferences which we attend in the next few years. Our goal is to keep things fun here, and give Tango the frog a new way to show his love :). We also brought back the classic FreePBX shirts, as you can see below. (Some of our teammates are pleased to show it off!)

We know that not everyone can attend in-person events where we give away these items, so we are happy to let you know that we also just launched our very first online store where all of these items will be available for purchase. Check it out here!

Take a look around and see if there is anything you want to purchase. And if you have suggestions on other items you would like to see in the store, or available as give-aways at our shows, let us know! Send an email to leo@sangoma.com and provide your feedback.

Happy New Year – A Community Update

Hello everyone…for those of you who don’t know me, I’m Jared Smith, Sangoma’s new Vice President for Open Source Community Development. Ever since I first started using open source telephony software back in 2002, I’ve tried to give back to the community. I’ve done Asterisk consulting, I’ve written Asterisk documentation, I’ve taught Asterisk training classes, and I’ve spoken at dozens of conferences. And I’ve also been involved with the FreePBX project, helping with technical work in the FreePBX code base, speaking at conferences about FreePBX, managing the network infrastructure that underpins Sangoma’s cloud versions of FreePBX/PBXact, and actively participating in the forums, etc. As you can probably tell, I’m very passionate about open source and open source telephony, and I love the people who make this community welcoming!

As Bill Wignall explained in his recent letter, my responsibilities at Sangoma have changed and I now have the amazing opportunity to focus most of my time on open source and community engagement. 2019 was a big year for open source at Sangoma, with the major releases of FreePBX 15 as well as Asterisk 17, and we have a lot planned for 2020 when it comes to both of these projects! The “Care, Engage, Support” theme Bill described for 2020 covers several areas, including technical improvements in the projects and better engagement with you. In this letter I’ll cover some of those details including new capabilities for FreePBX, strengthening the project infrastructure, and some of the efforts we’ll be taking to improve the communication between Sangoma and the open source community.

We are planning significant updates to our open source projects each month for the next while! In late January, we’re releasing updates for FreePBX to support the new, upcoming requirements for emergency calling. With the upcoming deadline for new installations of US telephone systems to comply with various new regulations (such as Kari’s Law and the Ray Baum Act), we want to make sure that your systems are compliant as well. This will also be an important item of interest to our partners who install FreePBX at customers’ sites. Manufacturers, installers, and end-users all have a role to play in making sure their new installations are compliant. These updates will help you configure your new installations to be compliant with the new requirements, and will include features to ensure that emergency calls have a proper outbound DID and that system administrators are notified when a user has called an emergency services number. We will also be adding more information to the FreePBX wiki on best practices for configuring your system for calling emergency services.

In February, we’re doing work to improve pieces of infrastructure used by our open source projects. The team at Sangoma is also putting a renewed emphasis on the key infrastructure that Sangoma provides to the community, such as download mirror servers, the wikis, etc. to make sure that they perform optimally. Once that work has been completed, we will add an article about those changes to the blogs.

In the March/April timeframe, I’ll update you on the significant engineering time we’re investing to modernize some of the internal “plumbing” of FreePBX, to help it keep up with recent technology changes. Some of these changes will improve system performance, and others are focused on security. The development team is also working on a couple of new FreePBX modules to address highly-requested features.

Focusing on the “Engage” aspect of our theme, we have redoubled our efforts at Sangoma to be more involved and communicative with the Asterisk and FreePBX open source communities, and to increase awareness through a number of different initiatives, such as…

  • If you’ve participated in the Asterisk or FreePBX forums lately, you’ve hopefully noticed increased activity by Sangoma engineers. Going forward, you will continue to see more participation from me and from others at Sangoma in the forums.
  • We are working on a series of short videos called Open Source Pro Tips (the first of which was just published) showing tips and tricks that will help you be more effective in your use of Asterisk and FreePBX.
  • AstriCon 2020 is now confirmed for October in Orlando, with more details to come, and I’m thrilled that we are re-launching FreePBX World there as well!
  • A quarterly newsletter focused on our open source projects, the first of which will be published later this month.
  • I will also be soliciting ideas for features and fixes you would most like to see in upcoming versions of both Asterisk and FreePBX. Please look for these “requests for ideas” in the forums beginning this month.
  • A new “Voice of the Community” series in our blogs beginning in February, which will include some guest posts from open source community members.
  • We would also love to hear your success stories with Asterisk and FreePBX! We will share some of these stories in the Voice of the Community series mentioned above.
  • In an effort to keep things fun and interesting, we are also happy to announce the launch of a new online merchandise store. On that site, you can find a variety of products such as t-shirts, mugs, and stickers centered around Asterisk and FreePBX projects. We’ll also be giving away some free items from the store in monthly contests.

I hope you’ve found this community update useful.

And please know that the Asterisk/FreePBX development teams are all here for you. We are completely committed to making the open source telephony ecosystem better each and every month. If you have concerns or questions about either Asterisk or FreePBX, please don’t hesitate to reach out to me on the forums, in IRC, via social media, via email at opensourcefeedback@sangoma.com, or in person at one of the many conferences related to open source telephony. By the way, my next conference will be ITExpo in February, so please say hi if you’re there.

Here’s to a joyous and prosperous 2020!
Jared Smith