[Icecast-dev] Proposed openSSL usage improvements
"Thomas B. Rücker"
thomas at ruecker.fi
Sun Nov 9 03:37:36 PST 2014
On 11/02/2014 05:56 PM, "Thomas B. Rücker" wrote:
> Hi everyone,
>
> Prompted by the fact that addressing some of the recent SSL problems
> actually would benefit from also changing things on how openSSL is used
> (not just updating the library), I started looking into some improvements.
>
> The tracking ticket is:
> https://trac.xiph.org/ticket/2070
>
> To sum it up:
> - hard disable SSLv3
> - hard disable compression
Landed ready to be released in 2.4.1.
> - new default cipher list
Went with
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
in the end.
Previously planned using this:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/#fnref2
Testing against Qualys gives me identical results for both.
We might upgrade to the "Modern" Mozilla string in the future, but as of
now that completely breaks our HTTPS functionality. I suspect, because
we don't properly support all elliptic curve ciphers yet, which is on
our to do list though.
Thanks to Basil Mohamed Gohar for pointing me towards the Mozilla cipher
lists.
Cheers
Thomas
PS: 2.4.1 is fix/feature complete and we're now working on documentation
and testing. Release should happen within days.
More information about the Icecast-dev
mailing list