[Icecast-dev] Proposed openSSL usage improvements

"Thomas B. Rücker" thomas at ruecker.fi
Sun Nov 9 03:37:36 PST 2014

On 11/02/2014 05:56 PM, "Thomas B. Rücker" wrote:
> Hi everyone,
> Prompted by the fact that addressing some of the recent SSL problems
> actually would benefit from also changing things on how openSSL is used
> (not just updating the library), I started looking into some improvements.
> The tracking ticket is:
> https://trac.xiph.org/ticket/2070
> To sum it up:
>  - hard disable SSLv3
>  - hard disable compression

Landed ready to be released in 2.4.1.

>  - new default cipher list

Went with
in the end.

Previously planned using this:

Testing against Qualys gives me identical results for both.
We might upgrade to the "Modern" Mozilla string in the future, but as of
now that completely breaks our HTTPS functionality. I suspect, because
we don't properly support all elliptic curve ciphers yet, which is on
our to do list though.

Thanks to Basil Mohamed Gohar for pointing me towards the Mozilla cipher



PS: 2.4.1 is fix/feature complete and we're now working on documentation
and testing. Release should happen within days.

More information about the Icecast-dev mailing list