no SSL support on Ubuntu 18.04

[DJIronic]

Hello,

I am trying to run Icecast on my Ubuntu 18.04 with SSL enabled. When I add the official repository to the system and then use apt-get install icecast2, everything will work except that when I will turn the SSL on, I will get "No SSL capability" message, I pre-installed OpenSSL befory icecast installation.

any Idea how to fix this?

I also tried to build by Icecast from the source with the custom path ovf openssl pramater enabled (just put there the default openssl path) and it worked, but this icecast is installed as an app and not as a service, so don't how to reload config without dropping listeners (i need to add relays withour restarting the server as it will server as a proxy).

Thanks for all your time!

[Bo98]

When I add the official repository to the system and then use apt-get install icecast2, everything will work except that when I will turn the SSL on, I will get "No SSL capability" message

This is correct. See https://gitlab.xiph.org/xiph/icecast-server/issues/2310

but this icecast is installed as an app and not as a service

You can create your own. Something like this.

[dm8tbr]

We recommend to use our official Xiph.org packages if you need TLS support:

https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)

[DJIronic]

@dm8tbr I am sorry but that's what I did. In my post I wrote that I installed your official directory from this page and then did all the commands there. So my problem is that the official version installed from your repository does not work withl ssl for me,

[dm8tbr]

You aren't running the Xiph.org version, as Debian/Ubuntu packaged 2.4.3 (which is the same as 2.4.2 on everything but windows). So despite adding the repository you ended up with the Ubuntu version, which indeed isn't compiled with openSSL.

You can easily see this:

# apt policy icecast2
icecast2:
  Installed: 2.4.3-2
  Candidate: 2.4.3-2
  Version table:
 *** 2.4.3-2 500
        500 http://fi.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        100 /var/lib/dpkg/status
     2.4.2-2 500
        500 http://download.opensuse.org/repositories/multimedia:/xiph/xUbuntu_18.04 ./ Packages

solution:

apt install icecast2=2.4.2-2 → bliss

On a related note, we'll have to figure out a way to avoid such situations for users as they are non-intuitive. If anyone has ideas, please add to the wiki (new accounts are available on freenode IRC #xiph)

[reduzent]

The version string consists of three (partially optional) parts:

• epoch
• upstream_version
• revision

It seems the xiph repository uses the the same revision scheme as packages provided by Debian. At the time of this writing, the version from Debian is 2.4.4-1. At the same time, the packge from the xiph repo uses the exact same version 2.4.4-1. In such a case, apt seems to prefer the package from the official Debian repos. This situation could be avoided by using a higher revision in the xiph repo, for instance +xiph1~withSSL, the full version being 2.4.4+xiph1~withSSL. The + always trumps -. The ~withSSL is just a descriptive suffix. Since ~ is almost the last character in ASCII, it never overrides anything.

Info from here: https://www.debian.org/doc/debian-policy/ch-controlfields.html#version

[reduzent]

Above suggestion doesn't handle the case, where Debian has a higher upstream version than the xiph repo. However, one would assume that upstream is quicker in releasing than maintainers at Debian. If that is not true, one could still force the version from xiph repos with something like:

apt install -t Debian_10 icecast2
apt-mark hold icecast2

The latter command makes sure that current version is kept (even if xiph updates the package! Please beware of that).

[petterreinholdtsen]

[Roman Haefeli]

Above suggestion doesn't handle the case, where Debian has a higher upstream version than the xiph repo.

What about asking the Debian maintainers to enable SSL support, and let the change flow into Ubuntu? Has it been done already? Could not find such request on <URL: https://tracker.debian.org/pkg/icecast2 >.

-- Happy hacking Petter Reinholdtsen

[reduzent]

What about asking the Debian maintainers to enable SSL support, and let the change flow into Ubuntu?

From what I know this hasn't been done and according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744815#15 the problem is an incompatibility between the license openSSL uses and the GPL-2 that icecast2 uses.

[petterreinholdtsen]

[Roman Haefeli]

From what I know this hasn't been done and according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744815#15 the problem is an incompatibility between the license openSSL uses and the GPL-2 that icecast2 uses.

Which can be solved at the Icecast end, with "c) convince Icecast2 developers to relicense to a license compatible with OpenSSL (the most minimal change being "GPL-2. with OpenSSL exception")."

I also noticed work to build with WolfSSL, which is GPLv2, which would not required the OpenSSL exception.

According to <URL: https://en.wikipedia.org/wiki/OpenSSL_exception >, recent versions of OpenSSL is now licensed using the terms of the Apache License 2.0, which should remove the need for the exception.

I have no idea which option is most practical in this situation, but it might be worth investigating. I guess the easiest option would be to add the exception, to have as many options as possible available for distributors.

-- Happy hacking Petter Reinholdtsen

[digitalray]

https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories) no longer available