New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Live broadcasting only supports unencrypted streams #763
Comments
This should be implementable, at least in theory. As far as I can tell the incoming and outgoing streams are similar enough to treat them in roughly the same manner. We would need a liquidsoap build that supports SSL by being compiled against ocaml-ssl. This would need at least To allow TLS support on the Master/DJ stream endpoints we would need to allow configuring the keys and certs as well as optionally using the
The changes to LibreTime to support streaming to an icecast instance with TLS would mostly be passing We might also need to allow configuring trust for a certificate if folks use an internal root-CA or a self-signed certificate. Given that all of this is rather complex to set up, I'm pretty sure it won't happen soon. There are some rough edges that we would ideally want to sort out before releasing this into the wild that aren't quite in the scope of LibreTime.
The fact that an opam install of liquidsoap is currently needed for all of this it hasn't been high up on our priorities. There is also #88 which I guess is more pertaining to the web-server parts so I'm putting this into the 3.0.0 release stuff for now. We might remove it from there again if it turns out not implementable. The proxy workaround you mentioned should work but it is not recommended by upstream icecast developers. For incoming streams you might have better results using a workaround using stunnel or similar. |
Unfortunately I won't be able to release a version of the Liquidsoap package linking against openssl due to the Liquidsoap license. The GPL is incompatible with the OpenSSL licence (see https://lintian.debian.org/tags/possible-gpl-code-linked-with-openssl.html). The only way to fix this would be to have Liquidsoap add the SSL exception to their licence |
ocaml-ssl is under the lgpl and has this exception: https://github.com/savonet/ocaml-ssl/blob/9dd1cbf71839195e115b8e2438554c530e0f0ed0/COPYING#L1-L3 I'm not sure if ocaml-cry and liquidsoap itself also need the exception since I haven't checked how liquidsoap and ocaml-cry get linked if ocaml-ssl is available. Otherwise we could investigate using GNUtls instead. |
Hmm... Good point. I'll check with Debian legal and see. My thought would be that they do need, but I could well be wrong about that. ocaml-ssl is in Debian, but needs updating to the latest version (https://tracker.debian.org/pkg/ocaml-ssl). That I can do no problem |
I've spoken to a couple people and had a look at the ocaml-ssl licence. The ocaml-ssl licence has an exception that allows any work linked against it to be released under any licence terms. So liquidsoap and ocaml-cry would be fine linking against ocaml-ssl. I'll do so in the next upload for each |
Is your feature request related to a problem? Please describe.
Live broadcasting doesn't support encryption
Describe the solution you'd like
Live broadcasting should support encryption
Describe alternatives you've considered
I've attempted to use proxies with Apache to SSL-ify incoming streams, but clients don't seem to understand how to connect to it this way
The text was updated successfully, but these errors were encountered: