[Icecast] How to secure IceCast (Secure login page and disable SSL/TLS versions.

[Walter York]

I have used the options successfully to enable secure streams with icecast.  This is so great because I don't have to loose the green lock on pages that have streams...  However after reviewing the security, I have the following questions.


1.  How do I require the login pop-up to be secure so I don't send creds unencrypted?  If the answer is to disable or use firewall to restrict http, will the players still be able to gather meta-data from status-json.xsl unencrypted?

2.  How do I restrict the site from using vulnerable protocols such as: SSL and TLS 1.0?

I have used the <ssl-allowed-ciphers> option to restrict ciphers but that does not positively restrict the protocol. Although restricting the list of ciphers can alter the availability of protocol, some of the newer ciphers are backwards compatible to non-secure protocols thus allowing selection to a more vulnerable protocol.


I absolutely love being able to use Icecast, which has proven reliable and stable.  If I can just flesh out these security concerns, it would make it all the better!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20161227/2aca1c5a/attachment.htm>