[Evergreen-general] Encrypted SIP2

Blake Henderson blake at mobiusconsortium.org
Tue Jan 5 11:56:02 EST 2021 

Wendell,

I'd like to add one more idea/tool. We developed a SIP proxy for a 
computer/Raspberry Pi that can be located on the library's LAN, which 
negotiates the tunnel to the Evergreen server using pre-setup keys. Just 
another thing that might help you:

https://github.com/mcoia/evergreen_sip_proxy 
<https://github.com/mcoia/evergreen_sip_proxy>

Lightening talk on the matter:
http://slides.mobiusconsortium.org/blake/sip_proxy/#/ 
<http://slides.mobiusconsortium.org/blake/sip_proxy/#/>

-Blake-
Conducting Magic
Can consume data in any format
MOBIUS

On 1/5/2021 9:44 AM, Josh Stompro wrote:
> Wendell, I just wanted to add another confirmation, we have had 100% 
> success requiring encrypted tunnels for sip2 access with outside 
> vendors.  Overdrive, Hoopla, OCLC (VDX ILL), BrainFuse,  Stunnel has 
> been the easiest to setup, since it is just SSL one vendor was easily 
> able to adjust their own software to natively connect via ssl and 
> didn't need to run stunnel on their end at all.
>
> We also offer SSH tunneling, but that takes a bit more work to setup, 
> and I don't think anyone actually is using that method right now.  I 
> did exchange 4 emails with OCLC support where they repeatedly used the 
> term SSH but then finally said that what they meant was Stunnel, 
> sigh.  I also had to quote a library journal article from a few years 
> ago where OCLC said "of course we support encrypted authentication for 
> all our products" to get them to admit that they could do it.  That 
> was a fun email to send.
>
> The best thing to do is to put the encrypted sip authentication 
> requirement in the contract with the vendor up front, which means you 
> have to be at the table when negotiating with them.  I think vendors 
> that use SIP2 are getting much better about supporting encryption in 
> general.  I think it is getting hard for them to say yes to "So you 
> don't want to protect our patrons private personal information and 
> allow us to comply with our state laws about patron privacy?"
>
> If you are going to self host an evergreen system and want notes on 
> how to setup stunnel just let me know.  Otherwise if you are looking 
> at a hosted solution then the hosting provider can provide those 
> assurances about stunnel being provided as an option.
> Josh
>
> On Tue, Jan 5, 2021 at 8:46 AM Rogan Hamby 
> <rhamby at equinoxinitiative.org <mailto:rhamby at equinoxinitiative.org>> 
> wrote:
>
>     I'll just note that I have setup several Envisionware instances to
>     use stunnel and encrypt the SIP2 communication back to Evergreen
>     as Jason Boyer describes with no issues.  It's transparent to the
>     clients as you would expect.
>
>
>
>     On Tue, Jan 5, 2021 at 9:42 AM Jason Boyer
>     <jboyer at equinoxinitiative.org
>     <mailto:jboyer at equinoxinitiative.org>> wrote:
>
>         Hi Wendell, there isn’t really anything that can be done to
>         SIP2 to make it secure without making it not-SIP2. That said,
>         what can be done is to transfer it over an encrypted channel.
>         I know some Evergreen and Koha systems handle SIP2 this way
>         and I suspect TLC is doing the same. This tunneling can be
>         done with stunnel (an openssl TLS tunnel) or ssh port
>         redirection and most vendors are capable of dealing with one
>         or the other.
>
>         There’s nothing special needed in Evergreen to handle this;
>         you just need to setup SIPServer to listen to a local IP
>         rather than a public one and coordinate with the vendor what
>         type of tunnel to use. I realize this is pretty non-specific
>         but if you have any questions I or someone else on the list
>         should be able to help out.
>
>         Jason
>
>         -- 
>         Jason Boyer
>         Senior System Administrator
>         Equinox Open Library Initiative
>         phone:  +1 (877) Open-ILS (673-6457)
>         email:  JBoyer at EquinoxInitiative.org
>         <mailto:JBoyer at EquinoxInitiative.org>
>         web: https://EquinoxInitiative.org/
>         <https://EquinoxInitiative.org/>
>
>>         On Jan 5, 2021, at 9:05 AM, Gragg, Wendell E
>>         <WGragg at bryantx.gov <mailto:WGragg at bryantx.gov>> wrote:
>>
>>         Hi all.  I haven’t posted in a while, but we are still in the
>>         process of evaluating ILS systems and our city IT department
>>         is balking at one thing, SIP2 being plain text.  Apparently,
>>         one vendor, TLC claims they have an encryption solution for
>>         SIP2, but I question whether it actually works or not, and
>>         TLC is another proprietary system, which we are trying to avoid.
>>         I have been trying to research SIP2 a bit more and am not
>>         finding a lot of information about security issues with it. 
>>         I’m also trying to find out if anyone in the Evergreen
>>         community has worked with encrypting SIP2 messages, at least
>>         sensitive information like passwords and user barcodes.
>>         Is this even possible in Evergreen and has it caused any
>>         problems with outside vendors like OCLC or Envisionware?
>>         I would like to find this out because I fear that our city IT
>>         is going to force us into an ILS we really don’t want.
>>         Thanks,
>>         Wendell
>>         Wendell Gragg, MSIS
>>         Automation Services Supervisor
>>         Bryan+College Station Public Library System
>>         Bryan, TX
>>         979-209-5613
>>         _______________________________________________
>>         Evergreen-general mailing list
>>         Evergreen-general at list.evergreen-ils.org
>>         <mailto:Evergreen-general at list.evergreen-ils.org>
>>         http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>>         <http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
>
>         _______________________________________________
>         Evergreen-general mailing list
>         Evergreen-general at list.evergreen-ils.org
>         <mailto:Evergreen-general at list.evergreen-ils.org>
>         http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>         <http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
>
>     _______________________________________________
>     Evergreen-general mailing list
>     Evergreen-general at list.evergreen-ils.org
>     <mailto:Evergreen-general at list.evergreen-ils.org>
>     http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general
>     <http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general>
>
>
>
> -- 
> Josh Stompro - IT Director
> Lake Agassiz Regional Library
> Desk: 218-233-3757 Ext 139
> Cell: 218-790-2110
>
> _______________________________________________
> Evergreen-general mailing list
> Evergreen-general at list.evergreen-ils.org
> http://list.evergreen-ils.org/cgi-bin/mailman/listinfo/evergreen-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.evergreen-ils.org/pipermail/evergreen-general/attachments/20210105/556d52f2/attachment.html>

More information about the Evergreen-general mailing list