Windows 7 (TLS 1.2)

[Happy2Play 5939]

Maybe someone else has some insight or knowledge on this, has anyone one successfully used the new TVDB v4 plugin on Windows 7 and got it to work as it requires a minimum of TLS 1.2.

I have done everything I could find online to activate TLS 1.2 on Windows 7, but no luck with this plugin.

System.Net.Http.HttpRequestException: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.

InnerException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.

InnerException: System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted.

Is this just beyond the protocols in Windows 7?

Edited November 15, 2021 by Happy2Play

[Luke 28989]

Did you try the registry edits that can be found when google searching this issue?

[Happy2Play 5939]

5 minutes ago, Luke said:

Did you try the registry edits that can be found when google searching this issue?

Yes all have been applied.  As mentioned in in other topic TLS 1.2 would appear to work, as api.github.com query works and it is TLS 1.2/TLS 1.3 also from the testing I have done.

Even tried IISCrypto

But still get the "The message received was unexpected or badly formatted." for V4 TVDB.

[adminExitium 19]

It's almost definitely due to the cipher suites that are available on Windows 7, none of which are currently supported on the new TVDB API server, which only supports a handful of newer cipher suites. Github on the other hand supports many more cipher suites.

SSL Analysis of api4.thetvdb.com: https://www.ssllabs.com/ssltest/analyze.html?d=api4.thetvdb.com&s=13.35.125.115&latest#suitesBody

SSL Analysis of api.github.com: https://www.ssllabs.com/ssltest/analyze.html?d=api.github.com#suitesBody

Supported Cipher Suites on Windows 7 via IE11 (which uses the OS suites, unlike Firefox or Chrome who use their own bundled suites): https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win 7

Microsoft Docs regarding supported suites on Windows 7: https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-7

Similar Issue here: https://stackoverflow.com/questions/68458467/all-known-steps-have-been-taken-but-tls-1-2-is-still-not-working-on-windows-7

 

I guess someone could ask TVDB to allow a couple of the older Cipher Suites for wider compatibility?

[Happy2Play 5939]

It would appear this is not possible, do to Windows 7 not having the cipher suites TVDB is using.

https://social.technet.microsoft.com/Forums/ie/en-US/d1a10844-18fb-4400-b649-60183c5f58c6/how-to-add-cipher-suite-to-windows-7-tlsrsawithaes128gcmsha256?forum=w7itprosecurity

SSL2, SSL3, TLS 1.0 and TLS 1.1 cipher suites:

TLS_RSA_WITH_AES_128_CBC_SHA                 
TLS_RSA_WITH_AES_256_CBC_SHA                 
TLS_RSA_WITH_RC4_128_SHA                     
TLS_RSA_WITH_3DES_EDE_CBC_SHA                
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256      
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384      
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521      
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256      
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384       
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256    
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384    
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521    
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256    
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384    
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521    
TLS_DHE_DSS_WITH_AES_128_CBC_SHA             
TLS_DHE_DSS_WITH_AES_256_CBC_SHA              
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5                                       
SSL_CK_RC4_128_WITH_MD5                      
SSL_CK_DES_192_EDE3_CBC_WITH_MD5             
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_MD5                        

TLS 1.2 SHA256 and SHA384 cipher suites:

TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_NULL_SHA256

TLS 1.2 ECC GCM cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

@kjhedges@Luke

 

Edited November 15, 2021 by Happy2Play
edit suites

[adminExitium 19]

Just for completeness, the SSL report for the current (v3?) API server of TVDB: https://www.ssllabs.com/ssltest/analyze.html?d=api.thetvdb.com#suitesBody

[Happy2Play 5939]

Opened a ticket on TVDB asking about this issue.

[kjhedges 25]

12 hours ago, Happy2Play said:

It would appear this is not possible, do to Windows 7 not having the cipher suites TVDB is using.

https://social.technet.microsoft.com/Forums/ie/en-US/d1a10844-18fb-4400-b649-60183c5f58c6/how-to-add-cipher-suite-to-windows-7-tlsrsawithaes128gcmsha256?forum=w7itprosecurity

SSL2, SSL3, TLS 1.0 and TLS 1.1 cipher suites:

TLS_RSA_WITH_AES_128_CBC_SHA                 
TLS_RSA_WITH_AES_256_CBC_SHA                 
TLS_RSA_WITH_RC4_128_SHA                     
TLS_RSA_WITH_3DES_EDE_CBC_SHA                
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256      
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384      
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521      
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256      
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384       
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256    
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384    
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521    
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256    
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384    
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521    
TLS_DHE_DSS_WITH_AES_128_CBC_SHA             
TLS_DHE_DSS_WITH_AES_256_CBC_SHA              
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5                                       
SSL_CK_RC4_128_WITH_MD5                      
SSL_CK_DES_192_EDE3_CBC_WITH_MD5             
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_MD5                        

TLS 1.2 SHA256 and SHA384 cipher suites:

TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_NULL_SHA256

TLS 1.2 ECC GCM cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

@kjhedges@Luke

 

Thank you for confirming this.

An upgrade of windows is now in order then lol

[chef 2481]

Just wanted to comment, in order to follow this thread. 

I am a windows 7 user still.. .. ... yup.

 

I am experiencing issues with the api, and hopefully we see thetvdb allow support for older machines. 

 

[Luke 28989]

We'll see what they say.

[kjhedges 25]

I have now migrated to windows 10.

 

No problems with migration. All users and activity still in place.

[Luke 28989]

Thanks for the feedback.

[chef 2481]

A little bit more information here.

I'm actually seeing issues with Win 8. I forgot that my test server for programming is actually running on windows 8.1(I really have to change that... Win 8 is horrendous)

 

I see this in the test server logs:

2021-11-16 21:56:18.212 Error App: Error in TheTVDB
	*** Error Report ***
	Version: 4.7.0.18
	Command line: C:\Users\Benjamin\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp
	Operating system: Microsoft Windows 6.3.9600
	Framework: .NET 6.0.0-rtm.21522.10
	OS/Process: x64/x64
	Runtime: C:/Users/Benjamin/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll
	Processor count: 4
	Data path: C:\Users\Benjamin\AppData\Roaming\Emby-Server\programdata
	Application path: C:\Users\Benjamin\AppData\Roaming\Emby-Server\system
	System.Net.Http.HttpRequestException: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
	 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
	 ---> System.ComponentModel.Win32Exception (0x80090326): The message received was unexpected or badly formatted.
	   --- End of inner exception stack trace ---
	   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
	   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
	   --- End of inner exception stack trace ---
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsync(HttpRequestOptions options, String httpMethod)
	   at Tvdb.EntryPoint.EnsureToken(CancellationToken cancellationToken)
	   at Tvdb.EntryPoint.GetResponse(HttpRequestOptions request, String method)
	   at Tvdb.TvdbEpisodeProvider.FetchMainResult(String seriesId, String seasonType, CancellationToken cancellationToken)
	   at Tvdb.TvdbEpisodeProvider.DownloadEpisodesInfo(String id, String seasonType, CancellationToken cancellationToken)
	   at Tvdb.TvdbEpisodeProvider.GetEpisodeData(EpisodeInfo searchInfo, Boolean fillExtendedInfo, CancellationToken cancellationToken)
	   at Tvdb.TvdbEpisodeProvider.GetMetadata(EpisodeInfo searchInfo, CancellationToken cancellationToken)
	   at MediaBrowser.Providers.Manager.MetadataService`2.ExecuteRemoteProviders(MetadataResult`1 temp, LibraryOptions libraryOptions, String logName, TIdType id, IEnumerable`1 providers, CancellationToken cancellationToken)
	Source: System.Net.Http
	TargetSite: Void MoveNext()
	InnerException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
	Source: System.Net.Security
	TargetSite: Void MoveNext()
	   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
	   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
	InnerException: System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted.
	Source: 
	TargetSite: 

 

[Happy2Play 5939]

1 minute ago, chef said:

A little bit more information here.

I'm actually seeing issues with Win 8. I forgot that my test server for programming is actually running on windows 8.1(I really have to change that... Win 8 is horrendous)

 

I see this in the test server logs:

2021-11-16 21:56:18.212 Error App: Error in TheTVDB
	*** Error Report ***
	Version: 4.7.0.18
	Command line: C:\Users\Benjamin\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp
	Operating system: Microsoft Windows 6.3.9600
	Framework: .NET 6.0.0-rtm.21522.10
	OS/Process: x64/x64
	Runtime: C:/Users/Benjamin/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll
	Processor count: 4
	Data path: C:\Users\Benjamin\AppData\Roaming\Emby-Server\programdata
	Application path: C:\Users\Benjamin\AppData\Roaming\Emby-Server\system
	System.Net.Http.HttpRequestException: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
	 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
	 ---> System.ComponentModel.Win32Exception (0x80090326): The message received was unexpected or badly formatted.
	   --- End of inner exception stack trace ---
	   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
	   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
	   --- End of inner exception stack trace ---
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsync(HttpRequestOptions options, String httpMethod)
	   at Tvdb.EntryPoint.EnsureToken(CancellationToken cancellationToken)
	   at Tvdb.EntryPoint.GetResponse(HttpRequestOptions request, String method)
	   at Tvdb.TvdbEpisodeProvider.FetchMainResult(String seriesId, String seasonType, CancellationToken cancellationToken)
	   at Tvdb.TvdbEpisodeProvider.DownloadEpisodesInfo(String id, String seasonType, CancellationToken cancellationToken)
	   at Tvdb.TvdbEpisodeProvider.GetEpisodeData(EpisodeInfo searchInfo, Boolean fillExtendedInfo, CancellationToken cancellationToken)
	   at Tvdb.TvdbEpisodeProvider.GetMetadata(EpisodeInfo searchInfo, CancellationToken cancellationToken)
	   at MediaBrowser.Providers.Manager.MetadataService`2.ExecuteRemoteProviders(MetadataResult`1 temp, LibraryOptions libraryOptions, String logName, TIdType id, IEnumerable`1 providers, CancellationToken cancellationToken)
	Source: System.Net.Http
	TargetSite: Void MoveNext()
	InnerException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
	Source: System.Net.Security
	TargetSite: Void MoveNext()
	   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
	   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
	InnerException: System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted.
	Source: 
	TargetSite: 

 

If this is correct It looks the same as Windows 7.

TLS Cipher Suites in Windows 8.1 - Win32 apps | Microsoft Docs

Qualys SSL Labs - Projects / User Agent Capabilities: IE 11 / Win 8.1

[Happy2Play 5939]

Response from TVDB

Quote

Is there any chance of you adding a cipher suite that is compatible with Windows 7?

Quote

Unfortunately we won't be doing that. Sorry about that.

 

 

[Happy2Play 5939]

Looks like we may need an announcement about TVDB v4 TLS 1.2 cipher suite requirement as older Windows systems will not meet the requirements. @Luke

May need to update system requirements also, but there is a major difference in Emby requirements and this plugins TVDB 1.1.0.0+ (v4).  Or a note about the minimum requirement using TVDB plugin on our requirements KB. @cayars

[cayars 3517]

Thanks for the heads up on that @Happy2Play. I've not followed TVDB V4 at all as I knew you and other were on it.
Do you happen to have a link handy about this?  If not I'm sure I can Google it.

[chef 2481]

Hmm... There must be a hack somewhere to get win 7 to have these ciphers.

But, it probabaly worth just updating.

I will miss my desktop. It is exactly the way I like it. 

 

[kjhedges 25]

11 hours ago, chef said:

But, it probably worth just updating.

I will miss my desktop. It is exactly the way I like it. 

 

Luckily, my Emby server is a separate machine so I never miss my old faithful windows 7 Desktop.

[Gripweed107 2]

There's a possibility that "No" may not mean "No".  Ticketed and labeled as an enhancement.

https://github.com/thetvdb/v4-api/issues/149

Please show support for it.

[Gripweed107 2]

Problem solved thanks to SirSparkles AKA Sparky at TV Rename.  TVDB (API v4) added in some additional ciphers so that Win 7 & 8 users can connect now.

Latest TLS analysis of api4.thetvdb.com

[Luke 28989]

11 minutes ago, Gripweed107 said:

Problem solved thanks to SirSparkles AKA Sparky at TV Rename.  TVDB (API v4) added in some additional ciphers so that Win 7 & 8 users can connect now.

Latest TLS analysis of api4.thetvdb.com

Excellent, that will save us some troubleshooting. Thanks for the update.

[Happy2Play 5939]

Yes have verified working on Windows 7.  Really surprised they added the Weak ciphers.

@kjhedges @chef

[chef 2481]

1 hour ago, Happy2Play said:

Yes have verified working on Windows 7.  Really surprised they added the Weak ciphers.

@kjhedges @chef

That is great news. I'll get to keep my server the way it is for a while longer now .

[Gripweed107 2]

As a Emby and TV Rename user I am doubly happy now especially since I had just recently stupidly paid for a yearly subscription with TVDB and it appeared as a Win7 user that I was going to be locked out of v3 & v4 shortly.