Madsonic Support

.ılılı. Madsonic Music Streamer .ılılı.
https://support.madsonic.org/

Remove SSLv2 and SSLv3 from valid cipher suites

https://support.madsonic.org/viewtopic.php?t=1253

Page 1 of 1

Remove SSLv2 and SSLv3 from valid cipher suites

Posted: 17 Oct 2014, 16:27
by HasiPopasi
Hi all,

in the light of the latest developments about the security of SSL encryption it would be time to remove the insecure cipher algorithms SSLv2Hello and SSLv3 from the list of valid cipher suites. Madsonic provides them as in the log file statet :

Code: Select all

oejus.SslContextFactory:Enabled Protocols [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
Question : How do I disable SSLv2Hello and SSLv3? I can't find a setting for this and Madsonic seems to use an embedded version of Jetty without any possibility to change this server setting for the user.

Re: Remove SSLv2 and SSLv3 from valid cipher suites

Posted: 17 Oct 2014, 19:54
by DoCC
the smoothest way to use your own selected ssl features ,
try running madsonic on localhost with nonssl
and setup a apache proxy server with ssl support.
this will do the trick very well. and you can create you own certs : )

Re: Remove SSLv2 and SSLv3 from valid cipher suites

Posted: 22 Feb 2015, 15:09
by ootuoyetahi
HasiPopasi wrote:Hi all,

in the light of the latest developments about the security of SSL encryption it would be time to remove the insecure cipher algorithms SSLv2Hello and SSLv3 from the list of valid cipher suites. Madsonic provides them as in the log file statet :

Code: Select all

oejus.SslContextFactory:Enabled Protocols [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
Question : How do I disable SSLv2Hello and SSLv3? I can't find a setting for this and Madsonic seems to use an embedded version of Jetty without any possibility to change this server setting for the user.
Were you ever able to figure out how to disable sslv3?

Re: Remove SSLv2 and SSLv3 from valid cipher suites

Posted: 06 May 2015, 08:48
by Madsonic
Hi there,

i'll change your security suggestion :thumbsup:

Code: Select all

            if (isHttpsEnabled()) {
                SslSocketConnector sslConnector = new SslSocketConnector();
                SslContextFactory sslContextFactory = sslConnector.getSslContextFactory();
                sslContextFactory = sslConnector.getSslContextFactory();
                sslContextFactory.setExcludeCipherSuites(
                        new String[] {
                            "SSL_RSA_WITH_DES_CBC_SHA",
                            "SSL_DHE_RSA_WITH_DES_CBC_SHA",
                            "SSL_DHE_DSS_WITH_DES_CBC_SHA",
                            "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
                            "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
                            "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
                            "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
                        });
                sslContextFactory.addExcludeProtocols(new String[]{"SSLv3","SSLv2Hello"});
                ...
            }
result:

Code: Select all

2015-05-06 09:46:07.497:INFO:oejus.SslContextFactory:Enabled Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
https://github.com/MadMarty/madsonic-se ... 58f339a755
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited