[Icecast-dev] Proposed openSSL usage improvements
"Thomas B. Rücker"
thomas at ruecker.fi
Sun Nov 2 09:56:57 PST 2014
Prompted by the fact that addressing some of the recent SSL problems
actually would benefit from also changing things on how openSSL is used
(not just updating the library), I started looking into some improvements.
The tracking ticket is:
To sum it up:
- hard disable SSLv3
- hard disable compression
- new default cipher list
- enable forward secrecy
This should basically address anything that can be done to further
alleviate recent attacks. If you know of something else, please let us know.
As this is security relevant code, I'd like to solicit more eyes on the
Side note: I haven't verified it, but I suspect that with the patches
applied Icecast will no longer build against openSSL 0.9.x. I personally
find this acceptable, that version is pretty much on its way out and
e.g. in the Debian context only available in old-stable aka Squeeze.
This will largely be part of the 2.4.1 release that we're currently
preparing. (PFS might not make it)
More information about the Icecast-dev