Applied justdave's patches, fixing #1717 and #1718.

HTTPS now with better security and support for chained certificates svn path=/icecast/trunk/icecast/; revision=18127

Applied justdave's patches, fixing #1717 and #1718.
HTTPS now with better security and support for chained certificates svn path=/icecast/trunk/icecast/; revision=18127
f57110d7 · Thomas B. Rücker · d66c5398 · f57110d7 · f57110d7 · f57110d7
Commit f57110d7 authored Nov 25, 2011 by Thomas B. Rücker 😊
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 1 deletion

src/cfgfile.c src/cfgfile.c +7 -0

src/cfgfile.h src/cfgfile.h +2 -0

src/connection.c src/connection.c +10 -1

No files found.
--- a/src/cfgfile.c
+++ b/src/cfgfile.c
@@ -10,6 +10,7 @@
 *                      and others (see AUTHORS for details).
 * Copyright 2011,      Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>,
 *                      Thomas B. "dm8tbr" Ruecker <thomas.rucker@tieto.com>.
+ *                      Dave 'justdave' Miller <justdave@mozilla.com>,
 */

 #ifdef HAVE_CONFIG_H
@@ -55,6 +56,7 @@
 #define CONFIG_DEFAULT_GROUP NULL
 #define CONFIG_MASTER_UPDATE_INTERVAL 120
 #define CONFIG_YP_URL_TIMEOUT 10
+#define CONFIG_DEFAULT_CIPHER_LIST "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

 #ifndef _WIN32
 #define CONFIG_DEFAULT_BASE_DIR "/usr/local/icecast"
@@ -191,6 +193,7 @@ void config_clear(ice_config_t *c)
    if (c->webroot_dir) xmlFree(c->webroot_dir);
    if (c->adminroot_dir) xmlFree(c->adminroot_dir);
    if (c->cert_file) xmlFree(c->cert_file);
+    if (c->cipher_list) xmlFree(c->cipher_list);
    if (c->pidfile)
        xmlFree(c->pidfile);
    if (c->banfile) xmlFree(c->banfile);
@@ -364,6 +367,7 @@ static void _set_defaults(ice_config_t *configuration)
    configuration->master_password = NULL;
    configuration->base_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_BASE_DIR);
    configuration->log_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_LOG_DIR);
+    configuration->cipher_list = (char *)xmlCharStrdup (CONFIG_DEFAULT_CIPHER_LIST);
    configuration->webroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_WEBROOT_DIR);
    configuration->adminroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_ADMINROOT_DIR);
    configuration->playlist_log = (char *)xmlCharStrdup (CONFIG_DEFAULT_PLAYLIST_LOG);
@@ -960,6 +964,9 @@ static void _parse_paths(xmlDocPtr doc, xmlNodePtr node,
        } else if (xmlStrcmp (node->name, XMLSTR("ssl-certificate")) == 0) {
            if (configuration->cert_file) xmlFree(configuration->cert_file);
            configuration->cert_file = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
+        } else if (xmlStrcmp (node->name, XMLSTR("ssl-allowed-ciphers")) == 0) {
+            if (configuration->cipher_list) xmlFree(configuration->cipher_list);
+            configuration->cipher_list = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
        } else if (xmlStrcmp (node->name, XMLSTR("webroot")) == 0) {
            if (configuration->webroot_dir) xmlFree(configuration->webroot_dir);
            configuration->webroot_dir = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);

--- a/src/cfgfile.h
+++ b/src/cfgfile.h
@@ -8,6 +8,7 @@
 *                      oddsock <oddsock@xiph.org>,
 *                      Karl Heyes <karl@xiph.org>
 *                      and others (see AUTHORS for details).
+ * Copyright 2011,      Dave 'justdave' Miller <justdave@mozilla.com>,
 */

 #ifndef __CFGFILE_H__
@@ -161,6 +162,7 @@ typedef struct ice_config_tag
    char *banfile;
    char *allowfile;
    char *cert_file;
+    char *cipher_list;
    char *webroot_dir;
    char *adminroot_dir;
    aliases *aliases;

--- a/src/connection.c
+++ b/src/connection.c
@@ -9,6 +9,7 @@
 *                      Karl Heyes <karl@xiph.org>
 *                      and others (see AUTHORS for details).
 * Copyright 2011,      Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>
+ *                      Dave 'justdave' Miller <justdave@mozilla.com>,
 */

 /* -*- c-basic-offset: 4; indent-tabs-mode: nil; -*- */
@@ -194,6 +195,7 @@ static unsigned long _next_connection_id(void)
 static void get_ssl_certificate (ice_config_t *config)
 {
    SSL_METHOD *method;
+    long ssl_opts;
    ssl_ok = 0;

    SSL_load_error_strings();                /* readable error messages */
@@ -201,12 +203,14 @@ static void get_ssl_certificate (ice_config_t *config)

    method = SSLv23_server_method();
    ssl_ctx = SSL_CTX_new (method);
+    ssl_opts = SSL_CTX_get_options (ssl_ctx);
+    SSL_CTX_set_options (ssl_ctx, ssl_opts|SSL_OP_NO_SSLv2);

    do
    {
        if (config->cert_file == NULL)
            break;
-        if (SSL_CTX_use_certificate_file (ssl_ctx, config->cert_file, SSL_FILETYPE_PEM) <= 0)
+        if (SSL_CTX_use_certificate_chain_file (ssl_ctx, config->cert_file) <= 0)
        {
            WARN1 ("Invalid cert file %s", config->cert_file);
            break;
@@ -221,8 +225,13 @@ static void get_ssl_certificate (ice_config_t *config)
            ERROR1 ("Invalid %s - Private key does not match cert public key", config->cert_file);
            break;
        }
+        if (SSL_CTX_set_cipher_list(ssl_ctx, config->cipher_list) <= 0) 
+        { 
+            WARN1 ("Invalid cipher list: %s", config->cipher_list); 
+        } 
        ssl_ok = 1;
        INFO1 ("SSL certificate found at %s", config->cert_file);
+        INFO1 ("SSL using ciphers %s", config->cipher_list); 
        return;
    } while (0);
    INFO0 ("No SSL capability on any configured ports");