Topic: Bass.NET Icecast SSL mode problem

[alexeyZ]

Hi everyone, I am using Bass.NET package and have an issue with the switch Icecast broadcasting to SSL mode, the application works fine in non-SSL mode.  I added a certificate to Icecast and I see that it's ok:

Code: [Select]

[2022-12-04  00:12:13] INFO connection/connection.c SSL certificate found at ./radioCert.pem
[2022-12-04  00:12:13] INFO connection/connection.c SSL using ciphers ECDHE-RSA-AES....
After that I changed server address from http to https and set UseSSL option to true, here is the code for Icecast class initialization:

Code: [Select]

            _icecast = new ICEcast(_lame);
            _icecast.ServerAddress = serverAddress;
            _icecast.ServerPort = Convert.ToInt32(serverPort);
            _icecast.MountPoint = serverMountPoint;
            _icecast.StreamName = "Radio";
            _icecast.StreamDescription = "Radio";
            _icecast.StreamUrl = "radio.com";
            _icecast.PublicFlag = true;
            _icecast.AdminPassword = serverPassword;
            _icecast.AdminUsername = serverLogin;
            _icecast.Password = serverPassword;
            _icecast.UseSSL = serverAddress.Contains("https");

But in the logs I see the following error:  BASS_ERROR_UNKNOWN
I am using the latest version:2.4.17.2
Do I need to add some additional configuration or what I am doing wrong?

[radio42]

The UseSSL option 'just' adds the BASS_ENCODE_CAST_SSL flag to the BASS_Encode_CastInit call. I.e. all conditions mentioned in the docs do apply.
I.e.:
Use SSL/TLS encryption. This requires the OpenSSL library, and that the server is configured to accept encrypted connections.
SSL/TLS encryption requires the OpenSSL library (libssl) or compatible. A filename for that can be specified via the BASS_CONFIG_LIBSSL config option. If that is unset or fails to load then BASSenc will check if an OpenSSL library has already been loaded into the process with global scope and use that, and if that fails too then it will try some standard filenames for the library
A certificate and private key are also required, and can be set via the BASS_CONFIG_ENCODE_SERVER_CERT and BASS_CONFIG_ENCODE_SERVER_KEY config options, respectively.
If there already is a server on the same port then its certificate and key will be used by the new server too, regardless of those config settings.

But where exactly (for which BASS method call) do you get the BASS_ERROR_UNKNOWN error?

[alexeyZ]

Thanks for the quick answer. I thought, I only need to change the configuration and everything will be ok, looks like I need to do some additional steps .

Now I run all of this on the windows system and I didn't install specific OpenSSL libraries, only what I did - I installed the Git(with the openssl support) and converted my .pfx certificate file with command:

Code: [Select]

openssl pkcs12 -in radioCert.pfx -out radioCert.pem -nodes
and after that I see that the Icecast server works on the https protocol(attached an image).

In the application I only changed UseSSL option and server address moved from http to https.
The BASS_ERROR_UNKNOWN error I see in the BroadCastEventHandler when I started the application, here is my code:

 

Code: [Select]

           
            _icecast = new ICEcast(_lame);
            _icecast.ServerAddress = serverAddress;
            _icecast.ServerPort = Convert.ToInt32(serverPort);
            _icecast.MountPoint = serverMountPoint;
            _icecast.StreamName = "Radio";
            _icecast.StreamDescription = "Radio";
            _icecast.StreamUrl = "http://radio.com";
            _icecast.PublicFlag = true;
            _icecast.AdminPassword = serverPassword;
            _icecast.AdminUsername = serverLogin;
            _icecast.Password = serverPassword;
            _icecast.UseSSL = serverAddress.Contains("https");

            Logger.Info("UseSSL:" + _icecast.UseSSL);

            _broadCast = new BroadCast(_icecast);
            _broadCast.Notification += new BroadCastEventHandler(OnBroadCast_Notification);
            _broadCast.AutoReconnect = true;


        private void OnBroadCast_Notification(object sender, BroadCastEventArgs e)
        {
            // Note: this method might be called from another thread (non UI thread)!
            if (_broadCast == null)
                return;
            if (_broadCast.IsConnected)
            {
                Logger.Info("BroadCast connected");
            }
            else
            {
                var error = Bass.BASS_ErrorGetCode();
                Logger.Info($"BroadCast failed connect:{error}");
            }
        }

In the log I see the following: BroadCast failed connect:BASS_ERROR_UNKNOWN

Can you give some step by step tutorial how I should do this or give some example, what libraries I need, what settings I must change

[radio42]

You can use the bass_ssl lib which is available at un4seen…
Plus set the params as specified.

[alexeyZ]

I tried to set the settings and copied the required files, but for now, without luck, I did the following:

• copied the "bass_ssl.dll" file
• copied the "libssl-1_1-x64.dll" file and set Bass.BASS_SetConfigString(BASSConfig.BASS_CONFIG_LIBSSL, "libssl-1_1-x64.dll")
• copied the certificate ".pem" file that contains a private key and set the config settings

I checked the description of the settings in http://bass.radio42.com/help/html/3490e2bc-7f3a-9135-3d24-ee519029f737.htm and I saw that both of them are the path to the certificate  ".pem" file.

Code: [Select]

           var useSSL = serverAddress.Contains("https");

            if (useSSL)
            {
                Bass.BASS_SetConfigString(BASSConfig.BASS_CONFIG_LIBSSL, "libssl-1_1-x64.dll");
                Bass.BASS_SetConfigString(BASSConfig.BASS_CONFIG_ENCODE_SERVER_KEY, "radioCert.pem");
                Bass.BASS_SetConfigString(BASSConfig.BASS_CONFIG_ENCODE_SERVER_CERT, "radioCert.pem");
            }
But after all of these chages I have the same error:BASS_ERROR_UNKNOWN

[Ian @ un4seen]

To use the BASS_SSL.DLL, it should be placed alongside your EXE. You don't need an additional libssl DLL then or to set BASS_CONFIG_LIBSSL. You also don't need to set the BASS_CONFIG_ENCODE_SERVER_CERT/KEY options for Icecast; they're only used by BASSenc's built-in server, ie. BASS_Encode_ServerInit.

If the problem persists, to narrow down what/where it is, you could try running the pre-compiled CAST.EXE example included in the BASSenc package (C\BIN folder), eg. see if you can connect to your Icecast server with that. If that works fine, please confirm what function call you're getting the BASS_ERROR_UNKNOWN error from in your app. An SSL setup problem would usually result in a BASS_ERROR_SSL error, so your issue may be something unrelated to that.

[alexeyZ]

Thanks, that means BASS_SSL.DLL is not my option because I already have a lot of logic with Icecast and it's already working fine in non-SSL mode.
About  CAST.EXE  - I am using my app on the VPS server without sound device, so I got the error: Can't initialize device(error code 3)
I added some additional logging and see that after I call BASS_StreamCreateFile method I got the negative handler:

Code: [Select]

            rechandle = Bass.BASS_StreamCreateFile(tempFileName, 0, 0,
                BASSFlag.BASS_STREAM_DECODE | BASSFlag.BASS_SAMPLE_FLOAT | BASSFlag.BASS_STREAM_PRESCAN);

            if(rechandle == 0)
            {
                var error = Bass.BASS_ErrorGetCode();
                Logger.Info($"Rechandle 0:{error}");
            }
            else
            {
                var error = Bass.BASS_ErrorGetCode();
                Logger.Info($"Rechandle {rechandle}, error code {error}");
            }

Got "Rechandle -2147483645, error code BASS_OK" in the logs, if I remember correctly the negative handle is wrong for this operation?

[Ian @ un4seen]

Thanks, that means BASS_SSL.DLL is not my option because I already have a lot of logic with Icecast and it's already working fine in non-SSL mode.

Were you trying to enable SSL in BASSenc without modifying the Icecast server config? If so, that indeed won't work. SSL needs to be enabled on the server side too, by adding a "listen-socket" section with "ssl" set to 1, and a "ssl-certificate" for your certificate in the "paths" section. Information on those settings is available here:

   https://icecast.org/docs/icecast-latest/config-file.html
   

Got "Rechandle -2147483645, error code BASS_OK" in the logs, if I remember correctly the negative handle is wrong for this operation?

All BASS channel handles are negative (have the highest bit set), so that value looks fine.

[alexeyZ]

Thanks all for your responses, I finally solved the issue.
As I wrote before, I already modified  Icecast server config, added "ssl", "ssl-certificate" settings etc. and it's applied fine, I see the icecast server page with https.
The problem was that I can't connect to this server, with my bass application(with non-https Icecast server settings it's was ok).
I solved the issue with an additional configuration,I added to Icecast server config additional non-ssl listen-socket configuration.

Code: [Select]


<listen-socket>
        <port>8001</port>
</listen-socket>
I already had ssl listen-socket configuration:

Code: [Select]

<listen-socket>
        <port>8000</port>
        <ssl>1</ssl>
</listen-socket>
But I can't connect to this with my bass application and I tried to connect to the new one(without ssl). I successfully connected and broadcast audio to ssl port also and now all works fine, just have 2 listen-sockets, one for incoming source from my bass application, the second one outgoing for broadcasting to clients.

[Creatus72]

<listen-socket>
        <port>8000</port>
</listen-socket>
<listen-socket>
        <port>8100</port>
        <ssl>1</ssl>
</listen-socket>
<listen-socket>
        <port>8110</port>
        <ssl>1</ssl>
</listen-socket>
<listen-socket>
        <port>8120</port>
        <ssl>1</ssl>
</listen-socket>
<paths>
    <basedir>/usr/share/icecast2</basedir>
    <logdir>/var/log/icecast2</logdir>
    <webroot>/usr/share/icecast2/web</webroot>
    <adminroot>/usr/share/icecast2/admin</adminroot>
    <pidfile>/usr/share/icecast2/icecast.pid</pidfile>
    <alias source="/" destination="/status.xsl"/>
    *<ssl-certificate>/home/admin/conf/web/domain/ssl/icecast.pem</ssl-certificate>
    <ssl-allowed-ciphers>
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    </ssl-allowed-ciphers>
  </paths>

Kötelező rész! Ügyelj arra, hogy az xml fájlban ne legyen sortörés!
*<ssl-certificate>/home/admin/conf/web/domain/ssl/icecast.pem</ssl-certificate> - valós útvonal megadása, mely a .pem fájlra mutat!