rcampbel3 wrote: > The response to POODLE vuln is generally dropping support for SSLv3 on > servers and clients. It's 15 years old and has been recommended to be > deprecated for a while now. So, anywhere in the squeezebox / LMS / > Plugin code that uses SSL... it needs to be configured or set to be able > to support TLS 1.0, 1.1, or 1.2, and any use of SSLv2 or SSLv3 should be > removed. My guess is that there is a config option that needs to be > changed in something like: > IO::Socket::SSL > http://search.cpan.org/~sullr/IO-Socket-SSL-2.000/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL > -*SSL_version* > Sets the version of the SSL protocol used to transmit data. 'SSLv23' > uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while > 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict handshake and > protocol to the specified version. All values are case-insensitive. > Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and > 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions > of Net::SSLeay and openssl. > > Independent from the handshake format you can limit to set of accepted > SSL versions by adding !version separated by ':'. > > The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the > handshake format is compatible to SSL2.0 and higher, but that the > successful handshake is limited to TLS1.0 and higher, that is no SSL2.0 > or SSL3.0 because both of these versions have serious security issues > and should not be used anymore. You can also use !TLSv1_1 and !TLSv1_2 > to disable TLS versions 1.1 and 1.2 while still allowing TLS version > 1.0. > > Setting the version instead to 'TLSv1' might break interaction with > older clients, which need and SSL2.0 compatible handshake. On the other > side some clients just close the connection when they receive a TLS > version 1.1 request. In this case setting the version to > 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help. > - > > or Net::SSLeay > http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod > Replace any SSLv2 or SSLv3 functions with TLSv1 equivalents. > Take note of security recommendations here: > http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod#SECURITY > > -Ross
A wild guess is that the snag will be in the players themself like 3 years ago . Some services demands that the security is taking place inside the player . https://github.com/Logitech/slimserver/tree/public/7.9/Firmware -------------------------------------------------------------------- Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub. Bedroom/Office: Boom Kitchen: Touch + powered Fostex PM0.4 Misc use: Radio (with battery) iPad1 with iPengHD & SqueezePad (in storage SB3, reciever ,controller ) server HP proliant micro server N36L with ClearOS Linux http://people.xiph.org/~xiphmont/demo/neil-young.html ------------------------------------------------------------------------ Mnyb's Profile: http://forums.slimdevices.com/member.php?userid=4143 View this thread: http://forums.slimdevices.com/showthread.php?t=102304 _______________________________________________ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
