Applied justdave's patches, fixing #1717 and #1718.

HTTPS now with better security and support for chained certificates svn path=/icecast/trunk/icecast/; revision=18127
2025-02-02 15:07:36 -05:00 · 2011-11-25 22:12:11 +00:00 · 2011-11-25 22:12:11 +00:00 · f57110d7e5
commit f57110d7e5
parent d66c53987c
3 changed files with 19 additions and 1 deletions
--- a/src/cfgfile.c
+++ b/src/cfgfile.c
@ -10,6 +10,7 @@
 *                      and others (see AUTHORS for details).
 * Copyright 2011,      Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>,
 *                      Thomas B. "dm8tbr" Ruecker <thomas.rucker@tieto.com>.
+ *                      Dave 'justdave' Miller <justdave@mozilla.com>,
 */

 #ifdef HAVE_CONFIG_H
@ -55,6 +56,7 @@
 #define CONFIG_DEFAULT_GROUP NULL
 #define CONFIG_MASTER_UPDATE_INTERVAL 120
 #define CONFIG_YP_URL_TIMEOUT 10
+#define CONFIG_DEFAULT_CIPHER_LIST "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

 #ifndef _WIN32
 #define CONFIG_DEFAULT_BASE_DIR "/usr/local/icecast"
@ -191,6 +193,7 @@ void config_clear(ice_config_t *c)
    if (c->webroot_dir) xmlFree(c->webroot_dir);
    if (c->adminroot_dir) xmlFree(c->adminroot_dir);
    if (c->cert_file) xmlFree(c->cert_file);
+    if (c->cipher_list) xmlFree(c->cipher_list);
    if (c->pidfile)
        xmlFree(c->pidfile);
    if (c->banfile) xmlFree(c->banfile);
@ -364,6 +367,7 @@ static void _set_defaults(ice_config_t *configuration)
    configuration->master_password = NULL;
    configuration->base_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_BASE_DIR);
    configuration->log_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_LOG_DIR);
+    configuration->cipher_list = (char *)xmlCharStrdup (CONFIG_DEFAULT_CIPHER_LIST);
    configuration->webroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_WEBROOT_DIR);
    configuration->adminroot_dir = (char *)xmlCharStrdup (CONFIG_DEFAULT_ADMINROOT_DIR);
    configuration->playlist_log = (char *)xmlCharStrdup (CONFIG_DEFAULT_PLAYLIST_LOG);
@ -960,6 +964,9 @@ static void _parse_paths(xmlDocPtr doc, xmlNodePtr node,
        } else if (xmlStrcmp (node->name, XMLSTR("ssl-certificate")) == 0) {
            if (configuration->cert_file) xmlFree(configuration->cert_file);
            configuration->cert_file = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
+        } else if (xmlStrcmp (node->name, XMLSTR("ssl-allowed-ciphers")) == 0) {
+            if (configuration->cipher_list) xmlFree(configuration->cipher_list);
+            configuration->cipher_list = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
        } else if (xmlStrcmp (node->name, XMLSTR("webroot")) == 0) {
            if (configuration->webroot_dir) xmlFree(configuration->webroot_dir);
            configuration->webroot_dir = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
--- a/src/cfgfile.h
+++ b/src/cfgfile.h
@ -8,6 +8,7 @@
 *                      oddsock <oddsock@xiph.org>,
 *                      Karl Heyes <karl@xiph.org>
 *                      and others (see AUTHORS for details).
+ * Copyright 2011,      Dave 'justdave' Miller <justdave@mozilla.com>,
 */

 #ifndef __CFGFILE_H__
@ -161,6 +162,7 @@ typedef struct ice_config_tag
    char *banfile;
    char *allowfile;
    char *cert_file;
+    char *cipher_list;
    char *webroot_dir;
    char *adminroot_dir;
    aliases *aliases;
--- a/src/connection.c
+++ b/src/connection.c
@ -9,6 +9,7 @@
 *                      Karl Heyes <karl@xiph.org>
 *                      and others (see AUTHORS for details).
 * Copyright 2011,      Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>
+ *                      Dave 'justdave' Miller <justdave@mozilla.com>,
 */

 /* -*- c-basic-offset: 4; indent-tabs-mode: nil; -*- */
@ -194,6 +195,7 @@ static unsigned long _next_connection_id(void)
 static void get_ssl_certificate (ice_config_t *config)
 {
    SSL_METHOD *method;
+    long ssl_opts;
    ssl_ok = 0;

    SSL_load_error_strings();                /* readable error messages */
@ -201,12 +203,14 @@ static void get_ssl_certificate (ice_config_t *config)

    method = SSLv23_server_method();
    ssl_ctx = SSL_CTX_new (method);
+    ssl_opts = SSL_CTX_get_options (ssl_ctx);
+    SSL_CTX_set_options (ssl_ctx, ssl_opts|SSL_OP_NO_SSLv2);

    do
    {
        if (config->cert_file == NULL)
            break;
-        if (SSL_CTX_use_certificate_file (ssl_ctx, config->cert_file, SSL_FILETYPE_PEM) <= 0)
+        if (SSL_CTX_use_certificate_chain_file (ssl_ctx, config->cert_file) <= 0)
        {
            WARN1 ("Invalid cert file %s", config->cert_file);
            break;
@ -221,8 +225,13 @@ static void get_ssl_certificate (ice_config_t *config)
            ERROR1 ("Invalid %s - Private key does not match cert public key", config->cert_file);
            break;
        }
+        if (SSL_CTX_set_cipher_list(ssl_ctx, config->cipher_list) <= 0) 
+        { 
+            WARN1 ("Invalid cipher list: %s", config->cipher_list); 
+        } 
        ssl_ok = 1;
        INFO1 ("SSL certificate found at %s", config->cert_file);
+        INFO1 ("SSL using ciphers %s", config->cipher_list); 
        return;
    } while (0);
    INFO0 ("No SSL capability on any configured ports");