Windows / SSL / Listener Authentication

[russr999]

Listener Auth Files.zip

Hi Karl....really hoping you can help as I'm lost. I've installed icecast kh15. I have setup and configured ssl and Listener Authentication and this is where my error is. If I remove Listener Authentication everything works perfectly. If I remove ssl then the Listener Authentication works perfectly. SSL is correctly configured as with SSL enabled and Listener Authentication disabled I correctly get the secure site symbol in the browser. As soon as I include Listener Authentication it brinigs up a login box looking for a username and password. Wht am I doing wrong?

my mount section is as follows:

[Listener Auth Files.zip](https://github.com/karlheyes/icecast-kh/files/4858065/Listener.Auth.Files.zip)

<mount type="normal">
    <mount-name>/mountname</mount-name>
    <public>-1</public>
  <authentication type="url">
    <option name="listener_add" value="https://radio.**domain.tld**:8444/icbmrc.php?mount=mountname" />
    <option name="auth_header" value="icecast-auth-user: 1" />
  </authentication>
</mount>

my config file for ssl is:

  <listen-socket>
        <port>9090</port>
        <tls>1</tls>
    </listen-socket>

I've also attached the icbmrc.php file for info.

My environment is Windows (x64) using "certifytheweb" to generate the SSL cert.

I dont know why I'm getting a logon box as I'm using url for authentication and both local and WAN ip are in the list. Hopinig you can point me in the right direction please.

[karlheyes]

Firstly, the listen-socket blocks in kh are both ssl and non-ssl capable so you don't need the ssl tag, the tls tag is not used on the kh tree, but tls is handled automatically. If you can access some local file like index.html or status.xsl over using https then the front end part is ok. I would suspect it is as you are getting a login box.

The next part to check is the actual auth part. libcurl should be enabled for it to work but check the error log (level 4) to see any auth entries. You should be seeing attempts for the url, even if they are rejected. If the specified header is not present then a 401 is returned to the listener which typically causes the login box. You don't actually need the auth_header setting, but do return it to allow the client.

As a side note, I'm unsure of how well you script will run with the mount parameter being passed like that. Strictly speaking it is allowed but the icecast settings are passed via POST and there already is a mount setting but your script looks to use _GET so should be ok, so be wary of it. You coud use a different name to avoid the clash.

Just check what you are getting in the script. I presume you are seeing something reasonable in the access log.

karl.

[russr999]

Hi Karl,

I have removed the mount setting from the php call as its not needed - was only used to create a log - thanks for that. Have also removed the unnecessary ssl tag from the listen port.

Reading through the debug log, I'm getting this WARN entry which I am not suspecting is causing my problem as if I access the icbmrc page directly, I can see it is correctly returning the auth header.

[2020-07-02  12:49:16] WARN auth_url/url_add_listener auth to server https://radio.domain.tld:8444/icbmrc.php (/mountname) failed with error setting certificate verify locations:
  CAfile: /usr/x86_64-w64-mingw32/sys-root/mingw/etc/pki/tls/certs/ca-bundle.crt
  CApath: none

This is on windiws where the CAfile location quoted above looks like linux so not sure what that is.

Also you said

auth part. libcurl should be enabled for it to

Not sure how to do that on windows as curl is just a binary executable. I have put it in the system32 folder so any other ideas would be great. I've also attached the access log and error log in the hope that they can help us figure out whats going wrong.

Thanks Rory

logs.zip

[karlheyes]

The cafile looks to be a default in the libs used (I don't define a default in icecast). You should be able to specify a ssl-cafile tag with your own bundle in the paths section. Like the other ssl options. If the auth engine is not able to establish to link to the bakend portal then I can see why listeners are getting a 401 response.

Just for general reference, if the link between your icecast and the auth portal is private then you do not need to use https, the encryption/decryption adds latency. Obviously if the situation implies you do need it then ok. Also if you want to issue a 403 Forbidden then return a header such as

icecast-auth-message: 403 You shall not pass

The bit after the 403 is whatevener you like.

karl..

[russr999]

Hi Karl,

Thank you so much for all the help/guidance. I faollowed all your advice and where I got back to was the origianl certificate was malformed in some way. After replacing that - its all working perfectly now.