Icecast - Jan 2024 - Secure Connection Failed

Hello,

I hope this question hasn't been asked and answered too often before.

I have installed Icecast and have it working. I'm now trying to make it work
with https. I've configured it as per instructions - at least, I believe I
have - and when it try to connect to it, I get an error page that says:


Secure Connection Failed

An error occurred during a connection to www.<my domain>.com:8000. Cannot
communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP


This is my current icecast.xml


<icecast>
    <limits>
        <clients>100</clients>
        <sources>2</sources>
        <threadpool>5</threadpool>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <burst-on-connect>1</burst-on-connect>
        <burst-size>65535</burst-size>
    </limits>

    <authentication>
        <source-password>ClampGonerInferno</source-password>
        <relay-password>BraceFractalHaddock</relay-password>
        <admin-user>admin</admin-user>
        <admin-password>BionicGenteelSpade</admin-password>
    </authentication>
    <hostname>radiofreeneptune.com</hostname>
    <location>Neptune</location>????

    <listen-socket>
        <port>8000</port>
        <bind-address>67.219.147.138</bind-address>
        <ssl>1</ssl>
    </listen-socket>

    <mount>
        <mount-name>/radio.mp3</mount-name>
        <max-listeners>100</max-listeners>
        <dump-file>/tmp/dump-example1.ogg</dump-file>
        <burst-size>65536</burst-size>
        <fallback-mount>/radio.ogg</fallback-mount>
        <fallback-override>1</fallback-override>
        <fallback-when-full>1</fallback-when-full>
        <hidden>1</hidden>
        <no-yp>1</no-yp>
    </mount>

    <mount>
        <mount-name>/auth_example.ogg</mount-name>
        <authentication type="url">
            <option name="mount_add"      
value="http://myauthserver.net/notify_mount.php"/>
            <option name="mount_remove"   
value="http://myauthserver.net/notify_mount.php"/>
            <option name="listener_add"   
value="http://myauthserver.net/notify_listener.php"/>
            <option name="listener_remove"
value="http://myauthserver.net/notify_listener.php"/>
        </authentication>
    </mount>
    <fileserve>1</fileserve>

    <paths>
        <basedir>/usr/share/icecast</basedir>
        <logdir>/var/log/icecast</logdir>
        <webroot>/usr/share/icecast/web</webroot>
        <adminroot>/usr/share/icecast/admin</adminroot>
        <pidfile>/var/run/icecast/icecast.pid</pidfile>
??????<ssl-certificate>/etc/icecast.d/icecast.pem</ssl-certificate>
        <alias source="/" dest="/status.xsl"/>
    </paths>

    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <loglevel>4</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1
Error -->
        <logsize>100000</logsize> <!-- Max size of a logfile
-->
    </logging>

    <security>
        <chroot>0</chroot>
        <changeowner>
            <user>icecast</user>
            <group>icecast</group>
        </changeowner>
    </security>
</icecast>

Port 8000 is open, I'm using a Let's Encrypt certificate (works fine for
conventional web pages) concatenated into icecast.pem.


If anyone has any suggestions as to what I've done wrong and how to fix it,
I'd be seriously grateful.

Thanks.




-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20240107/e1afd201/attachment.htm>

V?Sun, Jan 07, 2024 at 04:41:17PM +0000,?John napsal(a):
> I have installed Icecast and have it working. I'm now trying to make it
work
> with https. I've configured it as per instructions - at least, I
believe
> I have - and when it try to connect to it, I get an error page that says:
> 
> 
> Secure Connection Failed
> 
> An error occurred during a connection to www.<my domain>.com:8000.
Cannot
> communicate securely with peer: no common encryption algorithm(s).
> 
> Error code: SSL_ERROR_NO_CYPHER_OVERLAP
>
The message says it: A list of encryption algorightms acceptable by the client
and acceptable by the server has an empty intersection.

What algorithms do they support dependends on their configuration and on
a cryptographical libraries they use. You can try looking into their
documentation and configuration. However, much easier will be probably running
them in a more verbose mode to reveal algorithms advertized on the TLS level.
Or capture the network packets and inspect them in a network analyzer, e.g. in
Wireshark.

As far as I know, icecast 2.4.4 hard codes a list of algorithms (search for
CONFIG_DEFAULT_CIPHER_LIST in the sources). This is in general a bad idea as
operating systems vendors and cryptographical library vendors usually know
better what algorightms are suitable. Good software should not override the
defaults. Once of the outcomes of overrides are interoperability issues you
experience.

-- Petr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20240107/6c44fa92/attachment.sig>