mherger wrote: > Ok, got some more information. And it's a little more complicated than I > > though. There's a critical vulnerability in the SSL v3 protocol > ("Poodle" - > https://blogs.akamai.com/2014/10/excerpt-how-poodle-happened.html). > Therefore Rhapsody's CDN changed their configuration, which causes the > failure. I'll have to see how we can work around this limitation. > > -- > > Michael
The response to POODLE vuln is generally dropping support for SSLv3 on servers and clients. It's 15 years old and has been recommended to be deprecated for a while now. So, anywhere in the squeezebox / LMS / Plugin code that uses SSL... it needs to be configured or set to be able to support TLS 1.0, 1.1, or 1.2, and any use of SSLv2 or SSLv3 should be removed. My guess is that there is a config option that needs to be changed in something like: IO::Socket::SSL http://search.cpan.org/~sullr/IO-Socket-SSL-2.000/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL -*SSL_version* Sets the version of the SSL protocol used to transmit data. 'SSLv23' uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict handshake and protocol to the specified version. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions of Net::SSLeay and openssl. Independent from the handshake format you can limit to set of accepted SSL versions by adding !version separated by ':'. The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the handshake format is compatible to SSL2.0 and higher, but that the successful handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because both of these versions have serious security issues and should not be used anymore. You can also use !TLSv1_1 and !TLSv1_2 to disable TLS versions 1.1 and 1.2 while still allowing TLS version 1.0. Setting the version instead to 'TLSv1' might break interaction with older clients, which need and SSL2.0 compatible handshake. On the other side some clients just close the connection when they receive a TLS version 1.1 request. In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help. - or Net::SSLeay http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod Replace any SSLv2 or SSLv3 functions with TLSv1 equivalents. Take note of security recommendations here: http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod#SECURITY -Ross ------------------------------------------------------------------------ rcampbel3's Profile: http://forums.slimdevices.com/member.php?userid=38284 View this thread: http://forums.slimdevices.com/showthread.php?t=102304 _______________________________________________ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss