[xiph-commits] r18127 - icecast/trunk/icecast/src

dm8tbr at svn.xiph.org dm8tbr at svn.xiph.org
Fri Nov 25 14:12:11 PST 2011 

Author: dm8tbr
Date: 2011-11-25 14:12:11 -0800 (Fri, 25 Nov 2011)
New Revision: 18127

Modified:
   icecast/trunk/icecast/src/cfgfile.c
   icecast/trunk/icecast/src/cfgfile.h
   icecast/trunk/icecast/src/connection.c
Log:
Applied justdave's patches, fixing #1717 and #1718.
HTTPS now with better security and support for chained
certificates


Modified: icecast/trunk/icecast/src/cfgfile.c
===================================================================
--- icecast/trunk/icecast/src/cfgfile.c	2011-11-25 22:00:36 UTC (rev 18126)
+++ icecast/trunk/icecast/src/cfgfile.c	2011-11-25 22:12:11 UTC (rev 18127)
@@ -10,6 +10,7 @@
  *                      and others (see AUTHORS for details).
  * Copyright 2011,      Philipp "ph3-der-loewe" Schafft <lion at lion.leolix.org>,
  *                      Thomas B. "dm8tbr" Ruecker <thomas.rucker at tieto.com>.
+ *                      Dave 'justdave' Miller <justdave at mozilla.com>,
  */
 
 #ifdef HAVE_CONFIG_H
@@ -55,6 +56,7 @@
 #define CONFIG_DEFAULT_GROUP NULL
 #define CONFIG_MASTER_UPDATE_INTERVAL 120
 #define CONFIG_YP_URL_TIMEOUT 10
+#define CONFIG_DEFAULT_CIPHER_LIST "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
 
 #ifndef _WIN32
 #define CONFIG_DEFAULT_BASE_DIR "/usr/local/icecast"
@@ -191,6 +193,7 @@
     if (c->webroot_dir) xmlFree(c->webroot_dir);
     if (c->adminroot_dir) xmlFree(c->adminroot_dir);
     if (c->cert_file) xmlFree(c->cert_file);
+    if (c->cipher_list) xmlFree(c->cipher_list);
     if (c->pidfile)
         xmlFree(c->pidfile);
     if (c->banfile) xmlFree(c->banfile);
@@ -364,6 +367,7 @@
     configuration->master_password = NULL;
     configuration->base_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_BASE_DIR);
     configuration->log_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_LOG_DIR);
+    configuration->cipher_list = (char *)xmlCharStrdup (CONFIG_DEFAULT_CIPHER_LIST);
     configuration->webroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_WEBROOT_DIR);
     configuration->adminroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_ADMINROOT_DIR);
     configuration->playlist_log = (char *)xmlCharStrdup (CONFIG_DEFAULT_PLAYLIST_LOG);
@@ -960,6 +964,9 @@
         } else if (xmlStrcmp (node->name, XMLSTR("ssl-certificate")) == 0) {
             if (configuration->cert_file) xmlFree(configuration->cert_file);
             configuration->cert_file = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
+        } else if (xmlStrcmp (node->name, XMLSTR("ssl-allowed-ciphers")) == 0) {
+            if (configuration->cipher_list) xmlFree(configuration->cipher_list);
+            configuration->cipher_list = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
         } else if (xmlStrcmp (node->name, XMLSTR("webroot")) == 0) {
             if (configuration->webroot_dir) xmlFree(configuration->webroot_dir);
             configuration->webroot_dir = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);

Modified: icecast/trunk/icecast/src/cfgfile.h
===================================================================
--- icecast/trunk/icecast/src/cfgfile.h	2011-11-25 22:00:36 UTC (rev 18126)
+++ icecast/trunk/icecast/src/cfgfile.h	2011-11-25 22:12:11 UTC (rev 18127)
@@ -8,6 +8,7 @@
  *                      oddsock <oddsock at xiph.org>,
  *                      Karl Heyes <karl at xiph.org>
  *                      and others (see AUTHORS for details).
+ * Copyright 2011,      Dave 'justdave' Miller <justdave at mozilla.com>,
  */
 
 #ifndef __CFGFILE_H__
@@ -161,6 +162,7 @@
     char *banfile;
     char *allowfile;
     char *cert_file;
+    char *cipher_list;
     char *webroot_dir;
     char *adminroot_dir;
     aliases *aliases;

Modified: icecast/trunk/icecast/src/connection.c
===================================================================
--- icecast/trunk/icecast/src/connection.c	2011-11-25 22:00:36 UTC (rev 18126)
+++ icecast/trunk/icecast/src/connection.c	2011-11-25 22:12:11 UTC (rev 18127)
@@ -9,6 +9,7 @@
  *                      Karl Heyes <karl at xiph.org>
  *                      and others (see AUTHORS for details).
  * Copyright 2011,      Philipp "ph3-der-loewe" Schafft <lion at lion.leolix.org>
+ *                      Dave 'justdave' Miller <justdave at mozilla.com>,
  */
 
 /* -*- c-basic-offset: 4; indent-tabs-mode: nil; -*- */
@@ -194,6 +195,7 @@
 static void get_ssl_certificate (ice_config_t *config)
 {
     SSL_METHOD *method;
+    long ssl_opts;
     ssl_ok = 0;
 
     SSL_load_error_strings();                /* readable error messages */
@@ -201,12 +203,14 @@
 
     method = SSLv23_server_method();
     ssl_ctx = SSL_CTX_new (method);
+    ssl_opts = SSL_CTX_get_options (ssl_ctx);
+    SSL_CTX_set_options (ssl_ctx, ssl_opts|SSL_OP_NO_SSLv2);
 
     do
     {
         if (config->cert_file == NULL)
             break;
-        if (SSL_CTX_use_certificate_file (ssl_ctx, config->cert_file, SSL_FILETYPE_PEM) <= 0)
+        if (SSL_CTX_use_certificate_chain_file (ssl_ctx, config->cert_file) <= 0)
         {
             WARN1 ("Invalid cert file %s", config->cert_file);
             break;
@@ -221,8 +225,13 @@
             ERROR1 ("Invalid %s - Private key does not match cert public key", config->cert_file);
             break;
         }
+        if (SSL_CTX_set_cipher_list(ssl_ctx, config->cipher_list) <= 0) 
+        { 
+            WARN1 ("Invalid cipher list: %s", config->cipher_list); 
+        } 
         ssl_ok = 1;
         INFO1 ("SSL certificate found at %s", config->cert_file);
+        INFO1 ("SSL using ciphers %s", config->cipher_list); 
         return;
     } while (0);
     INFO0 ("No SSL capability on any configured ports");

More information about the commits mailing list