mherger wrote:
> Ok, got some more information. And it's a little more complicated than I
>
> though. There's a critical vulnerability in the SSL v3 protocol
> ("Poodle" -
> https://blogs.akamai.com/2014/10/excerpt-how-poodle-happened.html).
> Therefore Rhapsody's CDN changed their configuration, which causes the
> failure. I'll have to see how we can work around this limitation.
>
> --
>
> Michael
The response to POODLE vuln is generally dropping support for SSLv3 on
servers and clients. It's 15 years old and has been recommended to be
deprecated for a while now. So, anywhere in the squeezebox / LMS /
Plugin code that uses SSL... it needs to be configured or set to be able
to support TLS 1.0, 1.1, or 1.2, and any use of SSLv2 or SSLv3 should be
removed. My guess is that there is a config option that needs to be
changed in something like:
IO::Socket::SSL
http://search.cpan.org/~sullr/IO-Socket-SSL-2.000/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL
-*SSL_version*
Sets the version of the SSL protocol used to transmit data. 'SSLv23'
uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while
'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict handshake and
protocol to the specified version. All values are case-insensitive.
Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and
'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions
of Net::SSLeay and openssl.
Independent from the handshake format you can limit to set of accepted
SSL versions by adding !version separated by ':'.
The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the
handshake format is compatible to SSL2.0 and higher, but that the
successful handshake is limited to TLS1.0 and higher, that is no SSL2.0
or SSL3.0 because both of these versions have serious security issues
and should not be used anymore. You can also use !TLSv1_1 and !TLSv1_2
to disable TLS versions 1.1 and 1.2 while still allowing TLS version
1.0.
Setting the version instead to 'TLSv1' might break interaction with
older clients, which need and SSL2.0 compatible handshake. On the other
side some clients just close the connection when they receive a TLS
version 1.1 request. In this case setting the version to
'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help.
-
or Net::SSLeay
http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod
Replace any SSLv2 or SSLv3 functions with TLSv1 equivalents.
Take note of security recommendations here:
http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod#SECURITY
-Ross
------------------------------------------------------------------------
rcampbel3's Profile: http://forums.slimdevices.com/member.php?userid=38284
View this thread: http://forums.slimdevices.com/showthread.php?t=102304
_______________________________________________
discuss mailing list
discuss@lists.slimdevices.com
http://lists.slimdevices.com/mailman/listinfo/discuss
