Commit f57110d7 authored by Thomas B. Rücker's avatar Thomas B. Rücker 😊

Applied justdave's patches, fixing #1717 and #1718.

HTTPS now with better security and support for chained
certificates

svn path=/icecast/trunk/icecast/; revision=18127
parent d66c5398
......@@ -10,6 +10,7 @@
* and others (see AUTHORS for details).
* Copyright 2011, Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>,
* Thomas B. "dm8tbr" Ruecker <thomas.rucker@tieto.com>.
* Dave 'justdave' Miller <justdave@mozilla.com>,
*/
#ifdef HAVE_CONFIG_H
......@@ -55,6 +56,7 @@
#define CONFIG_DEFAULT_GROUP NULL
#define CONFIG_MASTER_UPDATE_INTERVAL 120
#define CONFIG_YP_URL_TIMEOUT 10
#define CONFIG_DEFAULT_CIPHER_LIST "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
#ifndef _WIN32
#define CONFIG_DEFAULT_BASE_DIR "/usr/local/icecast"
......@@ -191,6 +193,7 @@ void config_clear(ice_config_t *c)
if (c->webroot_dir) xmlFree(c->webroot_dir);
if (c->adminroot_dir) xmlFree(c->adminroot_dir);
if (c->cert_file) xmlFree(c->cert_file);
if (c->cipher_list) xmlFree(c->cipher_list);
if (c->pidfile)
xmlFree(c->pidfile);
if (c->banfile) xmlFree(c->banfile);
......@@ -364,6 +367,7 @@ static void _set_defaults(ice_config_t *configuration)
configuration->master_password = NULL;
configuration->base_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_BASE_DIR);
configuration->log_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_LOG_DIR);
configuration->cipher_list = (char *)xmlCharStrdup (CONFIG_DEFAULT_CIPHER_LIST);
configuration->webroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_WEBROOT_DIR);
configuration->adminroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_ADMINROOT_DIR);
configuration->playlist_log = (char *)xmlCharStrdup (CONFIG_DEFAULT_PLAYLIST_LOG);
......@@ -960,6 +964,9 @@ static void _parse_paths(xmlDocPtr doc, xmlNodePtr node,
} else if (xmlStrcmp (node->name, XMLSTR("ssl-certificate")) == 0) {
if (configuration->cert_file) xmlFree(configuration->cert_file);
configuration->cert_file = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
} else if (xmlStrcmp (node->name, XMLSTR("ssl-allowed-ciphers")) == 0) {
if (configuration->cipher_list) xmlFree(configuration->cipher_list);
configuration->cipher_list = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
} else if (xmlStrcmp (node->name, XMLSTR("webroot")) == 0) {
if (configuration->webroot_dir) xmlFree(configuration->webroot_dir);
configuration->webroot_dir = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
......
......@@ -8,6 +8,7 @@
* oddsock <oddsock@xiph.org>,
* Karl Heyes <karl@xiph.org>
* and others (see AUTHORS for details).
* Copyright 2011, Dave 'justdave' Miller <justdave@mozilla.com>,
*/
#ifndef __CFGFILE_H__
......@@ -161,6 +162,7 @@ typedef struct ice_config_tag
char *banfile;
char *allowfile;
char *cert_file;
char *cipher_list;
char *webroot_dir;
char *adminroot_dir;
aliases *aliases;
......
......@@ -9,6 +9,7 @@
* Karl Heyes <karl@xiph.org>
* and others (see AUTHORS for details).
* Copyright 2011, Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>
* Dave 'justdave' Miller <justdave@mozilla.com>,
*/
/* -*- c-basic-offset: 4; indent-tabs-mode: nil; -*- */
......@@ -194,6 +195,7 @@ static unsigned long _next_connection_id(void)
static void get_ssl_certificate (ice_config_t *config)
{
SSL_METHOD *method;
long ssl_opts;
ssl_ok = 0;
SSL_load_error_strings(); /* readable error messages */
......@@ -201,12 +203,14 @@ static void get_ssl_certificate (ice_config_t *config)
method = SSLv23_server_method();
ssl_ctx = SSL_CTX_new (method);
ssl_opts = SSL_CTX_get_options (ssl_ctx);
SSL_CTX_set_options (ssl_ctx, ssl_opts|SSL_OP_NO_SSLv2);
do
{
if (config->cert_file == NULL)
break;
if (SSL_CTX_use_certificate_file (ssl_ctx, config->cert_file, SSL_FILETYPE_PEM) <= 0)
if (SSL_CTX_use_certificate_chain_file (ssl_ctx, config->cert_file) <= 0)
{
WARN1 ("Invalid cert file %s", config->cert_file);
break;
......@@ -221,8 +225,13 @@ static void get_ssl_certificate (ice_config_t *config)
ERROR1 ("Invalid %s - Private key does not match cert public key", config->cert_file);
break;
}
if (SSL_CTX_set_cipher_list(ssl_ctx, config->cipher_list) <= 0)
{
WARN1 ("Invalid cipher list: %s", config->cipher_list);
}
ssl_ok = 1;
INFO1 ("SSL certificate found at %s", config->cert_file);
INFO1 ("SSL using ciphers %s", config->cipher_list);
return;
} while (0);
INFO0 ("No SSL capability on any configured ports");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment