SSL Issues with 4.7.0.60

[Elsaya]

the reverse proxy is a good idea for windows 7.

[Luke]

I can try to build the new server with the older runtime so that we can compare the difference.

[Painkiller8818]

2 hours ago, moviefan said:

Is Win10 still officially supported by Emby?

yes absolutely

[moviefan]

Don't understand what's breaking it for only certain people then.

[Luke]

With 4.6.7, what does the browser report as the TLS version?

[Elsaya]

[moviefan]

[Luke]

Ok, purely for testing purposes, please try unzipping this over the top of your existing install:

https://www.dropbox.com/s/a5znc1g8g3cqbt7/embyserver-win-x64-4.7.1.0.7z?dl=0

It's the 4.7.1 release but targeting the .net 3.1 runtime instead of 6.0. It's not a perfect 3.1 environment as it is still being built with the 6.0 SDK, but targeting 3.1. On MacOS I saw that I had to completely purge newer SDK versions from the machine in order to get a true 3.1 build without any newer updates. I can't do that right now, so let's start with this and see what happens. Thanks.

[moviefan]

Hey Luke.  Thanks for putting this out.  I followed your instructions and it appears to be working.

[Luke]

Just now, moviefan said:

Hey Luke.  Thanks for putting this out.  I followed your instructions and it appears to be working.

Hmm, well I guess that confirms it. Thanks.

[Luke]

So we're not going to go back to the older version of the runtime for all users, and give up the benefits that come with it, so I guess now we wait. We'll wait to see if this is impactful enough to justify having a separate download for older versions of Windows.

[Q-Droid]

1 hour ago, Luke said:

So we're not going to go back to the older version of the runtime for all users, and give up the benefits that come with it, so I guess now we wait. We'll wait to see if this is impactful enough to justify having a separate download for older versions of Windows.

You're a glutton for punishment. While you're at it, can you maintain a release for WinXP too?

/j

[moviefan]

5 hours ago, Luke said:

So we're not going to go back to the older version of the runtime for all users, and give up the benefits that come with it, so I guess now we wait. We'll wait to see if this is impactful enough to justify having a separate download for older versions of Windows.

Just clarifying - I understand Win7 isn't a priority.  Win10 seems to be impacted however.  Are we just waiting to see how many people are still on Win10 vs Win 11?

I should obviously stop upgrading at this point?

[Luke]

On 5/25/2022 at 1:07 AM, moviefan said:

Just clarifying - I understand Win7 isn't a priority.  Win10 seems to be impacted however.  Are we just waiting to see how many people are still on Win10 vs Win 11?

I should obviously stop upgrading at this point?

Can you show us exactly what the browser says with Windows 10? Lots of users run Windows 10 with ssl around here.

[cayars]

Following a long on this too.
@moviefan can you show us what you're referring to with Windows 10?

[moviefan]

@deccatsaid he was using Win10 and had this issue and solved with reverse proxy.  I dont have a personal example.

[Luke]

Are you using a VPN?

[rbjtech]

Glad to see Emby make the decision not to downgrade their security to work with an out of date security protocol.  By 'accommodating' older protocols,  you add security risk to those who are running with the latest ciphers by allowing 'downgrade' type attacks. 

I have not done this myself as I no longer run Win 7 but why not simply upgrade the protocol stack in Win 7 to use TLS 1.2+ ?

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

Having a minimum set of security standards for emby to use TLS 1.2+  is a good thing.

Edited June 4 by rbjtech

[moviefan]

On 6/3/2022 at 8:11 PM, Luke said:

Are you using a VPN?

No I am not using a VPN.

[moviefan]

On 6/4/2022 at 1:07 AM, rbjtech said:

Glad to see Emby make the decision not to downgrade their security to work with an out of date security protocol.  By 'accommodating' older protocols,  you add security risk to those who are running with the latest ciphers by allowing 'downgrade' type attacks. 

I have not done this myself as I no longer run Win 7 but why not simply upgrade the protocol stack in Win 7 to use TLS 1.2+ ?

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

Having a minimum set of security standards for emby to use TLS 1.2+  is a good thing.

I am using a version of Windows 7 that supports TLS 1.2.  My system using TLS 1.2 was shown above in the connection details.  This has nothing to do with reducing security, it is simply appears to be using a newer version of the .net runtime to support it.

BTW I tried installing the patch in the link you posted and it says already installed.

[Luke]

Does the server dashboard display the ssl url as your remote address? 

[Happy2Play]

Is it just a Windows 7 issue having issues connecting?

I can see your HTTPS login page without issue from my Windows 10 system.

[rbjtech]

5 hours ago, moviefan said:

I am using a version of Windows 7 that supports TLS 1.2.  My system using TLS 1.2 was shown above in the connection details.  This has nothing to do with reducing security, it is simply appears to be using a newer version of the .net runtime to support it.

BTW I tried installing the patch in the link you posted and it says already installed.

Sorry - It has everything to do with security.  Just because .NET 3.1 supports TLS 1.2 - it does not mean it is fully updated to comply with all the previously found/fixed security related vulnerabilities now in v6 !

If you wish to carry on using an out of support OS, then that is your choice - but personally I don't think you can expect other software to carry on supporting this platform.

[moviefan]

20 hours ago, rbjtech said:

If you wish to carry on using an out of support OS, then that is your choice - but personally I don't think you can expect other software to carry on supporting this platform.

I don't expect this and never indicated so.  And no, .NET runtime 3.1 doesn't have worse security than v6.  Despite your exclamation point.  It's just a version number.

[moviefan]

On 6/7/2022 at 6:50 PM, Luke said:

Does the server dashboard display the ssl url as your remote address? 

Yes