[Icecast-dev] fix for unsafe ssl options

Dave Miller justdave at mozilla.com
Fri Aug 6 16:00:19 PDT 2010

Thomas B. Ruecker wrote on 8/6/10 4:43 PM:
> Hi Niv,
> Thanks for your comments. I'm CC'ing the patch author.
> On Wed, Aug 04, 2010 at 05:37:44PM +0200, Niv Sardi wrote:
>> Do we really need that many ?
>> http://www.google.com/codesearch/p?hl=en#5KTrgOW2hXs/pub/nslu2/sources/vsftpd-2.0.4.tar.gz%7CXknrlk4c3C4/vsftpd-2.0.4/ssl.c&q=SSL_CTX_set_cipher_list
>> vsftpd seems to only be including "DES-CBC3-SHA"
>> http://www.google.com/codesearch?q=tunable_ssl_ciphers&exact_package=http://ftp.osuosl.org/pub/nslu2/sources/vsftpd-2.0.4.tar.gz&hl=en
>> That appart (and I'm no OpenSSL savvy), the patch looks good.
> I have to admit that I haven't even looked at the patch while forwarding the information, but I'm willing to trust justdave here as he most likely looked at what Mozilla products do and why they do it. ;-)

The list of ciphers included is the ones it will allow to work, not 
necessarily what it'll try to use.  The client and the server will 
negotiate on which one they want to use.  The list I put in as the 
default is the one recommended as "best practice" for Apache by a couple 
penetration-testing companies we've used.  It's a more-restrictive list 
than the one you get by default if you don't ask for a specific set, but 
it's large enough to allow good compatibility without allowing any 
broken or weak codecs.  But this is also the reason I made it an 
optional config option, so you can override it with a different list if 
you want fewer (like only the really high grade encryption), or want 
more and don't care about being hacked or whatever. :)

Dave Miller                                   http://www.justdave.net/
System Administrator, Mozilla Corporation      http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System  http://www.bugzilla.org/

More information about the Icecast-dev mailing list