[Icecast-dev] New TLS support in libshout

Philipp Schafft lion at lion.leolix.org
Fri Feb 6 03:30:59 PST 2015 

flum,

I just merged my experimental TLS support into libshout master. I would
love to see some testing on this before next release of libshout so we
can fix bugs that may still be in the code.

New TLS support requires OpenSSL to be enabled at compile time. It
supports both RFC2818 ('classical' mode with a TLS socket) and RFC2817
('Upgrade:' mode with just a HTTP socket and STARTTLS like operation).

Using the new TLS support is easy:
There is a auto detection. So if you try to connect to an TLS enabled
server by just setting hostname and port correctly that will just work.
Also if you run up to date Icecast you can connect to a non-TLS port and
if TLS is enabled at the server the RFC2817 mode is used.
You can also manually select a mode by using shout_set_tls().
There is also shout_set_ca_directory() and shout_set_ca_certificate() to
pass CA certs to libshout. Defaults to default cert store
(e.g. /etc/ssl/).

In addition we added support to set a client certificate using
shout_set_client_certificate(). This may become more useful later as
there is currently no handling of this in Icecast (but there are plans
to add that).

To set a list of allowed ciphers we added shout_set_allowed_ciphers().
However libshout will be released with a sane default and normally there
is no need to. If you do you MUST expose this setting to the user as
otherwise you may harm security. If unsure ignore this function!

Please note that this is a request for testing. API and ABI may still
change slightly before release!

I would love to get some input and bug reports. I believe this is a huge
step forward for libshout (also those internals we changed that will
also help us to do other stuff that is on our TODO list).

Getting libshout: https://wiki.xiph.org/Icecast/Git_workflow
Ticket: https://trac.xiph.org/ticket/2152

-- 
Philipp.
 (Rah of PH2)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : http://lists.xiph.org/pipermail/icecast-dev/attachments/20150206/1ff24cb2/attachment.pgp

More information about the Icecast-dev mailing list