View previous topic :: View next topic |
Author |
Message |
JohnnyOh
Joined: 10 Feb 2009 Posts: 50 Location: Germany
|
Posted: Mon Oct 20, 2014 3:05 pm Post subject: Icecast and vulnerable to the POODLE attack |
|
|
Hi,
as mentioned I succeeded in installing SSL to my icecast.
Unfortunately tehre are some issues I am not able to solve:
How do I disable SSL 3 on my Icecast?
https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
Is there any chance to disable SSL 3 ?
Edit:
There seem to be also vulnerabilities to
"Crime" attack (https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls)
Forward Secrecy (https://en.wikipedia.org/wiki/Forward_secrecy)
If tehre are any possibilities to solve this issues, please tell me _________________ Icecast 2.4.0 (debian)
and
icecast 2.3.2-kh32 (debian)
shoutcast 1.9.5 (debian) |
|
Back to top |
|
|
dm8tbr
Joined: 09 Feb 2013 Posts: 45 Location: icecast.org
|
Posted: Sun Oct 26, 2014 7:34 am Post subject: |
|
|
I'd recommend to use an version of openSSL that's not vulnerable to those in the first place.
If after that there is something specific to how Icecast uses openSSL that creates a security problem, then we should address it. |
|
Back to top |
|
|
JohnnyOh
Joined: 10 Feb 2009 Posts: 50 Location: Germany
|
Posted: Mon Oct 27, 2014 1:12 pm Post subject: |
|
|
Thanks for your reply. I already spent a lot of time in this issue, but did not yet succeeded.
I have a Debian Wheezy with icecast 2.4 and openssl-1.0.1e.
So Openssl shozuld be fixed, but the server is still vulnerable.
I expect the "application" itself has to be the feature to disable SSLv3 or use enable "TLS_FALLBACK_SCSV"
It would be great, if you could tell me what to do. _________________ Icecast 2.4.0 (debian)
and
icecast 2.3.2-kh32 (debian)
shoutcast 1.9.5 (debian) |
|
Back to top |
|
|
dm8tbr
Joined: 09 Feb 2013 Posts: 45 Location: icecast.org
|
Posted: Sun Nov 02, 2014 5:02 pm Post subject: |
|
|
We're working on a general overhaul of our openSSL usage in Icecast and will release most of it as part of Icecast 2.4.1 very soon.
If you want to do something right now and are on Debian:
apt-get source icecast2
apt-get build-dep icecast2
apt-get install libssl-dev
cd icecast2
Apply the two patches from https://trac.xiph.org/ticket/2071 and https://trac.xiph.org/ticket/2072 or add them to the patch queue in the debian directory
dpkg-buildpackage
cd ..
dpkg -i icecast2…deb
The cipher list you could just as well put in your config without recompiling:
<paths>
…
<ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>
It might work to disable SSLv3 through it, but I haven't tested that fully:
<ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:-SSLv3</ssl-allowed-ciphers> |
|
Back to top |
|
|
JohnnyOh
Joined: 10 Feb 2009 Posts: 50 Location: Germany
|
Posted: Thu Nov 27, 2014 4:38 pm Post subject: |
|
|
Thank you for your hints.
If some is needed to ensure security with icecast 2.4 please follow these instructions:
1. add "deb http://http.us.debian.org/debian/ testing non-free contrib main" to the sources list in debian
2. install libc6 from repository "testing"
3. Download http://ftp.de.debian.org/debian/pool/main/o/openssl/openssl_1.0.1j-1_i386.deb
4. Install openssl from downloaded package
5. install libssl1.0.0
6. remove libssl-dev
7. remove testing repository from sources-list
8. restart all services using libc
9. check at https://www.ssllabs.com/ssltest/analyze.html
Afterwards the server will not be vulnerable to poodle anymore.
Please note that you are using these instructions by your risk. It works for my instances. It may be possible that the corresponding update are already in the main repository. I did not check anymore. _________________ Icecast 2.4.0 (debian)
and
icecast 2.3.2-kh32 (debian)
shoutcast 1.9.5 (debian) |
|
Back to top |
|
|
|