Icecast - Oct 2017 - Icecast chrooted and ssl

Hi all,

I have been struggling to setup icecast with ssl on port 443.
I am running Debian Wheezy and installed icecast by downloading the source
and compiling.
This went all ok, including ssl support.
When running ssl on a port >1024 and not chrooting ssl works fine, so the
certificate is ok.
But when enabling chroot everything works but ssl.

Any ideas ?

TIA! Paul

This is (part of) my config:

.
    <listen-socket>
        <port>443</port>
        <ssl>1</ssl>
    </listen-socket>
.
        <basedir>/usr/share/icecast2</basedir>
        <logdir>/log</logdir>
        <webroot>/web</webroot>
        <adminroot>/admin</adminroot>
        <pidfile>/icecast.pid</pidfile>
        <ssl-certificate>/ssl.pem</ssl-certificate>
.
    <security>
        <chroot>1</chroot>
        <changeowner>
            <user>icecast2</user>
            <group>icecast</group>
        </changeowner>
    </security>

And my error log does not show any trouble:

[2017-10-17  07:26:37] INFO main/main Icecast 2.4.3 server started
[2017-10-17  07:26:37] INFO yp/yp_recheck_config Adding new YP server
"http://dir.xiph.org/cgi-bin/yp-cgi" (timeout 6s, default interval
30s)
[2017-10-17  07:26:37] INFO yp/yp_update_thread YP update thread started
[2017-10-17  07:26:37] INFO connection/get_ssl_certificate SSL certificate
found at ssl.pem
[2017-10-17  07:26:37] INFO connection/get_ssl_certificate SSL using ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G
CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE
S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25
6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE
-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CB
C3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES12
8-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:
!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
...

Good evening,

On Tue, 2017-10-17 at 07:51 +0000, _zer0_ gravity wrote:
> Hi all,
> 
> I have been struggling to setup icecast with ssl on port 443.
> I am running Debian Wheezy and installed icecast by downloading the source
> and compiling.
It's very much recommended to use this method:
https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)

> This went all ok, including ssl support.
> When running ssl on a port >1024 and not chrooting ssl works fine, so
the
> certificate is ok.
> But when enabling chroot everything works but ssl.
> [...]
>         <ssl-certificate>/ssl.pem</ssl-certificate>
> [...]
As you did correctly, the cert must be present within the chroot.

> And my error log does not show any trouble:
> [...]
> [2017-10-17  07:26:37] INFO connection/get_ssl_certificate SSL certificate
> found at ssl.pem
> [...]
That indicates that it's loaded.

How does 'works but ssl' show? What kind of error do you get?
Do you have a link to your server?

With best regards,


-- 
Philipp Schafft (CEO/Geschäftsführer) 
Telephon: +49.3535 490 17 92

Löwenfelsen UG (haftungsbeschränkt)     Registration number:
Bickinger Straße 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20171017/c876575d/attachment.sig>

Hi Philipp, thanks for your reply.

What I mean by 'works but ssl' is that the servers runs on port 80
without ss land works, but the ssl page on port 443 takes ages to load and gives
an error.
IE11 complains about an unsupported protocol or cipher, Firefox says the
connection is not secure.
Server address is stream.freemusicradio.nl
I think I will try cleaning up and use the recommended installation procedure.

Thanks and regards, Paul

-----Oorspronkelijk bericht-----
Van: Icecast [mailto:icecast-bounces at xiph.org] Namens Philipp Schafft
Verzonden: woensdag 18 oktober 2017 1:19
Aan: Icecast streaming server user discussions
Onderwerp: Re: [Icecast] Icecast chrooted and ssl

Good evening,

On Tue, 2017-10-17 at 07:51 +0000, _zer0_ gravity wrote:
> Hi all,
> 
> I have been struggling to setup icecast with ssl on port 443.
> I am running Debian Wheezy and installed icecast by downloading the 
> source and compiling.
It's very much recommended to use this method:
https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)

> This went all ok, including ssl support.
> When running ssl on a port >1024 and not chrooting ssl works fine, so 
> the certificate is ok.
> But when enabling chroot everything works but ssl.
> [...]
>         <ssl-certificate>/ssl.pem</ssl-certificate>
> [...]
As you did correctly, the cert must be present within the chroot.

> And my error log does not show any trouble:
> [...]
> [2017-10-17  07:26:37] INFO connection/get_ssl_certificate SSL 
> certificate found at ssl.pem [...]
That indicates that it's loaded.

How does 'works but ssl' show? What kind of error do you get?
Do you have a link to your server?

With best regards,


--
Philipp Schafft (CEO/Geschäftsführer)
Telephon: +49.3535 490 17 92

Löwenfelsen UG (haftungsbeschränkt)     Registration number:
Bickinger Straße 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015