Jump to content

SSL Issues with 4.7.0.60


moviefan
 Share

Recommended Posts

I can try to build the new server with the older runtime so that we can compare the difference.

Link to comment
Share on other sites

Painkiller8818
2 hours ago, moviefan said:

Is Win10 still officially supported by Emby?

yes absolutely

Link to comment
Share on other sites

moviefan

Don't understand what's breaking it for only certain people then.

Link to comment
Share on other sites

With 4.6.7, what does the browser report as the TLS version?

Link to comment
Share on other sites

Ok, purely for testing purposes, please try unzipping this over the top of your existing install:

https://www.dropbox.com/s/a5znc1g8g3cqbt7/embyserver-win-x64-4.7.1.0.7z?dl=0

It's the 4.7.1 release but targeting the .net 3.1 runtime instead of 6.0. It's not a perfect 3.1 environment as it is still being built with the 6.0 SDK, but targeting 3.1. On MacOS I saw that I had to completely purge newer SDK versions from the machine in order to get a true 3.1 build without any newer updates. I can't do that right now, so let's start with this and see what happens. Thanks.

  • Agree 1
Link to comment
Share on other sites

moviefan

Hey Luke.  Thanks for putting this out.  I followed your instructions and it appears to be working.

Link to comment
Share on other sites

Just now, moviefan said:

Hey Luke.  Thanks for putting this out.  I followed your instructions and it appears to be working.

Hmm, well I guess that confirms it. Thanks.

Link to comment
Share on other sites

So we're not going to go back to the older version of the runtime for all users, and give up the benefits that come with it, so I guess now we wait. We'll wait to see if this is impactful enough to justify having a separate download for older versions of Windows.

  • Agree 1
Link to comment
Share on other sites

Q-Droid
1 hour ago, Luke said:

So we're not going to go back to the older version of the runtime for all users, and give up the benefits that come with it, so I guess now we wait. We'll wait to see if this is impactful enough to justify having a separate download for older versions of Windows.

You're a glutton for punishment. While you're at it, can you maintain a release for WinXP too?

/j

  • Thanks 1
Link to comment
Share on other sites

moviefan
5 hours ago, Luke said:

So we're not going to go back to the older version of the runtime for all users, and give up the benefits that come with it, so I guess now we wait. We'll wait to see if this is impactful enough to justify having a separate download for older versions of Windows.

Just clarifying - I understand Win7 isn't a priority.  Win10 seems to be impacted however.  Are we just waiting to see how many people are still on Win10 vs Win 11?

I should obviously stop upgrading at this point?

Link to comment
Share on other sites

On 5/25/2022 at 1:07 AM, moviefan said:

Just clarifying - I understand Win7 isn't a priority.  Win10 seems to be impacted however.  Are we just waiting to see how many people are still on Win10 vs Win 11?

I should obviously stop upgrading at this point?

Can you show us exactly what the browser says with Windows 10? Lots of users run Windows 10 with ssl around here.

Link to comment
Share on other sites

Following a long on this too.
@moviefan can you show us what you're referring to with Windows 10?

Link to comment
Share on other sites

  • 2 weeks later...
moviefan

@deccatsaid he was using Win10 and had this issue and solved with reverse proxy.  I dont have a personal example.

Link to comment
Share on other sites

rbjtech
Posted (edited)

Glad to see Emby make the decision not to downgrade their security to work with an out of date security protocol.  By 'accommodating' older protocols,  you add security risk to those who are running with the latest ciphers by allowing 'downgrade' type attacks. 

I have not done this myself as I no longer run Win 7 but why not simply upgrade the protocol stack in Win 7 to use TLS 1.2+ ?

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

Having a minimum set of security standards for emby to use TLS 1.2+  is a good thing. ;)

Edited by rbjtech
Link to comment
Share on other sites

moviefan
On 6/3/2022 at 8:11 PM, Luke said:

Are you using a VPN?

No I am not using a VPN.

Link to comment
Share on other sites

moviefan
On 6/4/2022 at 1:07 AM, rbjtech said:

Glad to see Emby make the decision not to downgrade their security to work with an out of date security protocol.  By 'accommodating' older protocols,  you add security risk to those who are running with the latest ciphers by allowing 'downgrade' type attacks. 

I have not done this myself as I no longer run Win 7 but why not simply upgrade the protocol stack in Win 7 to use TLS 1.2+ ?

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

Having a minimum set of security standards for emby to use TLS 1.2+  is a good thing. ;)

I am using a version of Windows 7 that supports TLS 1.2.  My system using TLS 1.2 was shown above in the connection details.  This has nothing to do with reducing security, it is simply appears to be using a newer version of the .net runtime to support it.

BTW I tried installing the patch in the link you posted and it says already installed.

  • Like 1
Link to comment
Share on other sites

Does the server dashboard display the ssl url as your remote address? 

Link to comment
Share on other sites

Happy2Play

Is it just a Windows 7 issue having issues connecting?

I can see your HTTPS login page without issue from my Windows 10 system.

Link to comment
Share on other sites

rbjtech
5 hours ago, moviefan said:

I am using a version of Windows 7 that supports TLS 1.2.  My system using TLS 1.2 was shown above in the connection details.  This has nothing to do with reducing security, it is simply appears to be using a newer version of the .net runtime to support it.

BTW I tried installing the patch in the link you posted and it says already installed.

Sorry - It has everything to do with security.  Just because .NET 3.1 supports TLS 1.2 - it does not mean it is fully updated to comply with all the previously found/fixed security related vulnerabilities now in v6 !

If you wish to carry on using an out of support OS, then that is your choice - but personally I don't think you can expect other software to carry on supporting this platform.

Link to comment
Share on other sites

moviefan
20 hours ago, rbjtech said:

If you wish to carry on using an out of support OS, then that is your choice - but personally I don't think you can expect other software to carry on supporting this platform.

I don't expect this and never indicated so.  And no, .NET runtime 3.1 doesn't have worse security than v6.  Despite your exclamation point.  It's just a version number.

Link to comment
Share on other sites

moviefan
On 6/7/2022 at 6:50 PM, Luke said:

Does the server dashboard display the ssl url as your remote address? 

Yes

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...