mirror of
https://gitlab.xiph.org/xiph/icecast-server.git
synced 2025-02-02 15:07:36 -05:00
HTTPS now with better security and support for chained certificates svn path=/icecast/trunk/icecast/; revision=18127
This commit is contained in:
parent
d66c53987c
commit
f57110d7e5
@ -10,6 +10,7 @@
|
||||
* and others (see AUTHORS for details).
|
||||
* Copyright 2011, Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>,
|
||||
* Thomas B. "dm8tbr" Ruecker <thomas.rucker@tieto.com>.
|
||||
* Dave 'justdave' Miller <justdave@mozilla.com>,
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
@ -55,6 +56,7 @@
|
||||
#define CONFIG_DEFAULT_GROUP NULL
|
||||
#define CONFIG_MASTER_UPDATE_INTERVAL 120
|
||||
#define CONFIG_YP_URL_TIMEOUT 10
|
||||
#define CONFIG_DEFAULT_CIPHER_LIST "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
|
||||
|
||||
#ifndef _WIN32
|
||||
#define CONFIG_DEFAULT_BASE_DIR "/usr/local/icecast"
|
||||
@ -191,6 +193,7 @@ void config_clear(ice_config_t *c)
|
||||
if (c->webroot_dir) xmlFree(c->webroot_dir);
|
||||
if (c->adminroot_dir) xmlFree(c->adminroot_dir);
|
||||
if (c->cert_file) xmlFree(c->cert_file);
|
||||
if (c->cipher_list) xmlFree(c->cipher_list);
|
||||
if (c->pidfile)
|
||||
xmlFree(c->pidfile);
|
||||
if (c->banfile) xmlFree(c->banfile);
|
||||
@ -364,6 +367,7 @@ static void _set_defaults(ice_config_t *configuration)
|
||||
configuration->master_password = NULL;
|
||||
configuration->base_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_BASE_DIR);
|
||||
configuration->log_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_LOG_DIR);
|
||||
configuration->cipher_list = (char *)xmlCharStrdup (CONFIG_DEFAULT_CIPHER_LIST);
|
||||
configuration->webroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_WEBROOT_DIR);
|
||||
configuration->adminroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_ADMINROOT_DIR);
|
||||
configuration->playlist_log = (char *)xmlCharStrdup (CONFIG_DEFAULT_PLAYLIST_LOG);
|
||||
@ -960,6 +964,9 @@ static void _parse_paths(xmlDocPtr doc, xmlNodePtr node,
|
||||
} else if (xmlStrcmp (node->name, XMLSTR("ssl-certificate")) == 0) {
|
||||
if (configuration->cert_file) xmlFree(configuration->cert_file);
|
||||
configuration->cert_file = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
|
||||
} else if (xmlStrcmp (node->name, XMLSTR("ssl-allowed-ciphers")) == 0) {
|
||||
if (configuration->cipher_list) xmlFree(configuration->cipher_list);
|
||||
configuration->cipher_list = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
|
||||
} else if (xmlStrcmp (node->name, XMLSTR("webroot")) == 0) {
|
||||
if (configuration->webroot_dir) xmlFree(configuration->webroot_dir);
|
||||
configuration->webroot_dir = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
|
||||
|
@ -8,6 +8,7 @@
|
||||
* oddsock <oddsock@xiph.org>,
|
||||
* Karl Heyes <karl@xiph.org>
|
||||
* and others (see AUTHORS for details).
|
||||
* Copyright 2011, Dave 'justdave' Miller <justdave@mozilla.com>,
|
||||
*/
|
||||
|
||||
#ifndef __CFGFILE_H__
|
||||
@ -161,6 +162,7 @@ typedef struct ice_config_tag
|
||||
char *banfile;
|
||||
char *allowfile;
|
||||
char *cert_file;
|
||||
char *cipher_list;
|
||||
char *webroot_dir;
|
||||
char *adminroot_dir;
|
||||
aliases *aliases;
|
||||
|
@ -9,6 +9,7 @@
|
||||
* Karl Heyes <karl@xiph.org>
|
||||
* and others (see AUTHORS for details).
|
||||
* Copyright 2011, Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>
|
||||
* Dave 'justdave' Miller <justdave@mozilla.com>,
|
||||
*/
|
||||
|
||||
/* -*- c-basic-offset: 4; indent-tabs-mode: nil; -*- */
|
||||
@ -194,6 +195,7 @@ static unsigned long _next_connection_id(void)
|
||||
static void get_ssl_certificate (ice_config_t *config)
|
||||
{
|
||||
SSL_METHOD *method;
|
||||
long ssl_opts;
|
||||
ssl_ok = 0;
|
||||
|
||||
SSL_load_error_strings(); /* readable error messages */
|
||||
@ -201,12 +203,14 @@ static void get_ssl_certificate (ice_config_t *config)
|
||||
|
||||
method = SSLv23_server_method();
|
||||
ssl_ctx = SSL_CTX_new (method);
|
||||
ssl_opts = SSL_CTX_get_options (ssl_ctx);
|
||||
SSL_CTX_set_options (ssl_ctx, ssl_opts|SSL_OP_NO_SSLv2);
|
||||
|
||||
do
|
||||
{
|
||||
if (config->cert_file == NULL)
|
||||
break;
|
||||
if (SSL_CTX_use_certificate_file (ssl_ctx, config->cert_file, SSL_FILETYPE_PEM) <= 0)
|
||||
if (SSL_CTX_use_certificate_chain_file (ssl_ctx, config->cert_file) <= 0)
|
||||
{
|
||||
WARN1 ("Invalid cert file %s", config->cert_file);
|
||||
break;
|
||||
@ -221,8 +225,13 @@ static void get_ssl_certificate (ice_config_t *config)
|
||||
ERROR1 ("Invalid %s - Private key does not match cert public key", config->cert_file);
|
||||
break;
|
||||
}
|
||||
if (SSL_CTX_set_cipher_list(ssl_ctx, config->cipher_list) <= 0)
|
||||
{
|
||||
WARN1 ("Invalid cipher list: %s", config->cipher_list);
|
||||
}
|
||||
ssl_ok = 1;
|
||||
INFO1 ("SSL certificate found at %s", config->cert_file);
|
||||
INFO1 ("SSL using ciphers %s", config->cipher_list);
|
||||
return;
|
||||
} while (0);
|
||||
INFO0 ("No SSL capability on any configured ports");
|
||||
|
Loading…
Reference in New Issue
Block a user