From verten at xs4all.nl  Mon Jun  2 09:31:35 2025
From: verten at xs4all.nl (verten at xs4all.nl)
Date: Mon, 2 Jun 2025 09:31:35 +0000
Subject: [Icecast] icecast https stream and Sonos
In-Reply-To: <CAELR-fBM2-qy8+rn+DHzWJdsf+j0gcn1i45v_785-wF+0V7i3w@mail.gmail.com>
References: <d8600ae2-bb33-11ed-a8eb-005056998788@smtp.kpnmail.nl>
 <CAELR-fBM2-qy8+rn+DHzWJdsf+j0gcn1i45v_785-wF+0V7i3w@mail.gmail.com>
Message-ID: <PR3PR02MB638098A3B269434BFCC64E5AAA62A@PR3PR02MB6380.eurprd02.prod.outlook.com>

As of 24 april 2025 sonos deleted older cipher suites and since that date the stream dos not work through sonos any longer.

Testing vertenradio.nl through ssllabs shows no ecdhe chipers at all, most important the required TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is missing, which is loaded by icecast regarding the error log.

Also TLS 1.3 isn't available, not per se necessary but still......

Icecast 2.4.4 is installed on a windows 2018 server.

Any suggestions are welcome, thx in advance

Johan


________________________________
From: Icecast <icecast-bounces at xiph.org> on behalf of Brad Isbell <brad at audiopump.co>
Sent: Sunday, March 5, 2023 6:29 PM
To: Icecast streaming server user discussions <icecast at xiph.org>
Subject: Re: [Icecast] icecast https stream and Sonos

Johan, the Sonos information here is spot on.  You are missing the intermediate certs.

While your stream will work fine in common browsers where the certificates are already available, they won't necessarily work in other places.

Once you concatenate the right certificates in, DigiCert has an online tool you can use to check that you have it correct:  https://www.digicert.com/help/  If you were on port :443, you could also use https://www.ssllabs.com/ssltest/.
[https://audiopump.co/img/audiopump-logo-64px.png]      Brad Isbell // AudioPump, Inc.
brad at audiopump.co<mailto:brad at audiopump.co>


On Sun, Mar 5, 2023 at 2:58?AM Verten Radio <verten at xs4all.nl<mailto:verten at xs4all.nl>> wrote:

My icecast https stream (https://vertenradio.com:8443/stream) does not work on a Sonos ONE player.



It might have something to do with the ssl handshake.



From the developer page from sonos i found this:



Some common reasons for SSL handshake failures include:

  *   Expired certificate: Every certificate has a validity window before it expires. You need to present Sonos with unexpired certificates.
  *   DNS name mismatch: Your certificate must match the DNS name used in the Sonos service catalog. If the URL in the Sonos service catalog is https://stremingservice.example.com/svc, then your certificate must have a subjectAltName or a Common Name matching streamingservice.example.com<http://streamingservice.example.com>. Any mismatches will cause an outage. For example, this may occur if you introduce a Content Delivery Network (CDN) into your setup as this may affect the DNS names and certificates involved.
  *   Missing intermediate CA cert: Most certificate authorities do not issue individual server certificates directly from their root CA certificate. They often use an intermediate CA certificate. Usually, the chain looks like this:
Root CA certificate -> Intermediate CA certificate -> Your service?s SSL server certificate.
In these cases, you must configure your SSL server to send Sonos the intermediate CA certificate as well as your SSL server certificate. Without this, Sonos will not be able to validate the full chain and the validation may fail.

I don?t thinks this is the case, but what could it be?

Any answers?

Glad to hear it,

Regards,



Johan









Verzonden vanuit Mail<https://go.microsoft.com/fwlink/?LinkId=550986> voor Windows



_______________________________________________
Icecast mailing list
Icecast at xiph.org<mailto:Icecast at xiph.org>
http://lists.xiph.org/mailman/listinfo/icecast
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20250602/2991bac2/attachment.htm>

From marko at jerak.si  Mon Jun  2 15:36:43 2025
From: marko at jerak.si (Marko Jerak)
Date: Mon, 2 Jun 2025 17:36:43 +0200
Subject: [Icecast] HTTPS stream shown as HTTP in directory listing
Message-ID: <413c7392-e532-4a05-8551-fd3dbeea8a10@jerak.si>

Hi all,

I'm running an Icecast server with HTTPS properly configured and 
working. Listeners can access the streams securely via |https://|, and 
my mountpoints also specify the correct |https://| URLs using the 
|<http-headers>| section.

However, the stream URL shown on my station?s page at dir.xiph.org 
<https://dir.xiph.org> still uses |http://| instead of |https://|, even 
though my server is only accessible via HTTPS. As a result, my stream 
appears in the YP listings, but users can't actually listen because the 
URL is incorrect.

I have set the |<url>| field in the Icecast config to use |https://|, 
but that doesn't seem to affect the URL that the YP directory receives.

Is there a workaround or planned fix for this? Is HTTPS YP support on 
the roadmap?

Thanks in advance for your help,

Marko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20250602/99d997e6/attachment.htm>