bandit8623 48 Posted October 15, 2022 Share Posted October 15, 2022 doing security checks im getting this. Your server is using a outdated version of OpenSSL vulnerable to denial of service attack. Urgently update OpenSSL to version 1.1.1k or newer. https://www.immuniweb.com/ssl/ when will this be updated? Link to comment Share on other sites More sharing options...
visproduction 122 Posted October 15, 2022 Share Posted October 15, 2022 (edited) Bandit, Ssl is a registration on your domain and it is under your control. Updating is up to you. Emby can run with a domain when your individual SSL setup is correct. I don't think there is anything in Emby to update. It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain. Edited October 16, 2022 by visproduction Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 15, 2022 Share Posted October 15, 2022 18 minutes ago, bandit8623 said: doing security checks im getting this. Your server is using a outdated version of OpenSSL vulnerable to denial of service attack. Urgently update OpenSSL to version 1.1.1k or newer. https://www.immuniweb.com/ssl/ when will this be updated? Sorry I don't follow, what does this have to do with Emby? Link to comment Share on other sites More sharing options...
pwhodges 1527 Posted October 15, 2022 Share Posted October 15, 2022 Presumably Emby's https (ssl) option uses OpenSSL. Paul 1 Link to comment Share on other sites More sharing options...
pwhodges 1527 Posted October 15, 2022 Share Posted October 15, 2022 17 minutes ago, visproduction said: Bandit, Ssl is a registration on your domain and it is under your control. Updating is up to you. Emby can run with a domain when your individual SSL setup is correct. I don't there is anything in Emby to update. It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain. Er, no. You're talking about certificates - he's talking about the code in the server which checks and uses the certificates - handling the ssl which https is based on. Paul 1 Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 16, 2022 Author Share Posted October 16, 2022 1 hour ago, Happy2Play said: Sorry I don't follow, what does this have to do with Emby? emby uses openssl. the version is baked into the server. we or i have no control. Link to comment Share on other sites More sharing options...
Luke 37060 Posted October 16, 2022 Share Posted October 16, 2022 Hi, what version of emby server do you have? Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 16, 2022 Share Posted October 16, 2022 (edited) Still confused here as I get this on both 4.7.8.0 and 4.8.0.12 servers testing on that site. Wouldn't this be a system, not a Emby issue? As the openssl files in system folder appear to be .NET signed by Microsoft. someone else's SSL test on test site as the site is not testing Emby any way that I know of. Edited October 16, 2022 by Happy2Play Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 16, 2022 Author Share Posted October 16, 2022 (edited) 21 hours ago, Luke said: Hi, what version of emby server do you have? latest beta 4.8.0.12 Edited October 16, 2022 by bandit8623 added ver Link to comment Share on other sites More sharing options...
TeamB 2352 Posted October 16, 2022 Share Posted October 16, 2022 (edited) are you accessing Emby directly or through a reverse proxy Edited October 16, 2022 by TeamB Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 16, 2022 Author Share Posted October 16, 2022 (edited) 20 hours ago, TeamB said: are you accessing Emby directly or through a reverse proxy talking to me? im just running the test from that link directly to my server. direct no proxy Edited October 16, 2022 by bandit8623 Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 16, 2022 Share Posted October 16, 2022 3 hours ago, bandit8623 said: talking to me? im just running the test from that link directly to my server. But the test is against SSL not Emby from my understanding. Just like the score you get is against your System settings. But it passes on all my Windows systems. 6 hours ago, bandit8623 said: 8 hours ago, Luke said: Hi, what version of emby server do you have? latest beta What platform? Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 16, 2022 Author Share Posted October 16, 2022 9 hours ago, Happy2Play said: But the test is against SSL not Emby from my understanding. Just like the score you get is against your System settings. But it passes on all my Windows systems. What platform? Windows. So if you are not having the issue then it has to be how I created my cert then. Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 16, 2022 Share Posted October 16, 2022 2 minutes ago, bandit8623 said: Windows. So if you are not having the issue then it has to be how I created my cert then. I am no expert on this but could be. I have WHS2011/Server 2016 GoDaddy custom cert that comes with the servers. As for Emby it is on a Windows 10 machine with a copy of the servers SSL. So https goes to server while https Emby port goes to Windows 10. I would assume if your cert was on any machine or shutdown or uninstalled Emby you would get this vulnerability. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 16, 2022 Author Share Posted October 16, 2022 (edited) 2 hours ago, Happy2Play said: I am no expert on this but could be. I have WHS2011/Server 2016 GoDaddy custom cert that comes with the servers. As for Emby it is on a Windows 10 machine with a copy of the servers SSL. So https goes to server while https Emby port goes to Windows 10. I would assume if your cert was on any machine or shutdown or uninstalled Emby you would get this vulnerability. i redid my cert with updated openssl 1.1.1.1q . and i still get the vulnerabiltyy problem. when doing your test are you adding the port to your emby server? example my ip address 1.1.1.1:8920 Edited October 16, 2022 by bandit8623 added pic Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 16, 2022 Share Posted October 16, 2022 Just now, bandit8623 said: i redid my cert with updated openssl 1.1.1.1q . and i still get the vulnerabiltyy problem. when doing your test are you adding the port to your emby server? example my ip address 1.1.1.1:8920 I did both and get slightly different results on each, but both do not show the vulnerability. Summary of xxxxxxxxxxxxxxx.homeserver.com:443 (HTTPS) SSL Security Test (WHS2011 server that controls the certificate) Summary of xxxxxxxxxxxxxxx.homeserver.com:8920 (N/A) SSL Security Test (Windows 10 with SSL cert in Emby) Link to comment Share on other sites More sharing options...
justinrh 174 Posted October 16, 2022 Share Posted October 16, 2022 17 hours ago, bandit8623 said: 20 hours ago, TeamB said: are you accessing Emby directly or through a reverse proxy talking to me? im just running the test from that link directly to my server. @bandit8623 He is talking to you. He is asking if DNS is pointed directly to the server or to a reverse proxy where the proxy forwards traffic to your Emby server. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 16, 2022 Author Share Posted October 16, 2022 2 minutes ago, justinrh said: @bandit8623 He is talking to you. He is asking if DNS is pointed directly to the server or to a reverse proxy where the proxy forwards traffic to your Emby server. directly to server. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 16, 2022 Author Share Posted October 16, 2022 On 10/15/2022 at 5:29 PM, visproduction said: Bandit, Ssl is a registration on your domain and it is under your control. Updating is up to you. Emby can run with a domain when your individual SSL setup is correct. I don't think there is anything in Emby to update. It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain. i have my ssl cert fully setup. i used openssl 1.1.1.1q to combine the pem files. i am able to connect remotely just fine. just getting that vulnerability error check Link to comment Share on other sites More sharing options...
Q-Droid 641 Posted October 17, 2022 Share Posted October 17, 2022 2 hours ago, bandit8623 said: i redid my cert with updated openssl 1.1.1.1q . and i still get the vulnerabiltyy problem. when doing your test are you adding the port to your emby server? example my ip address 1.1.1.1:8920 If you're getting an F then you have more problems than a single mid-range score vulnerability. I suspect you're focusing on the wrong things from the report. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 17, 2022 Author Share Posted October 17, 2022 (edited) 14 minutes ago, Q-Droid said: If you're getting an F then you have more problems than a single mid-range score vulnerability. I suspect you're focusing on the wrong things from the report. No. i got an F because of this issue. this is the only other attention item. Edited October 17, 2022 by bandit8623 Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 17, 2022 Share Posted October 17, 2022 I would think everyone's system would get this if it were a Emby issue. But don't really have any idea what it could be though as I can't replicate on 4 different Windows versions on stable or beta servers. Link to comment Share on other sites More sharing options...
Q-Droid 641 Posted October 17, 2022 Share Posted October 17, 2022 (edited) I think the real issue is this - TLS_RSA_WITH_3DES_EDE_CBC_SHA That is a cipher that should definitely not be allowed. Your error might be a false report on what is really a bad cipher being allowed during negotiation. The stable version of Emby does not seem to include 3DES in the cipher suite. Edit: I should add that I'm on Linux, not Windows, running stable and tested using Caddy with an EC cert and direct to Emby with an RSA cert. Neither allowed 3DES in the negotiation. Edited October 17, 2022 by Q-Droid Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 17, 2022 Share Posted October 17, 2022 @Q-Droid I can say mine shows multiple weak ciphers but don't get an F as I don't get this OpenSSL issue. Where I get a C I will assume primarily for enable TLS 1.0 per there list. But will assume OP would get the same with Emby shutdown or ever uninstalled. As 8920 is just port forwarding to the Host machine. So the question becomes what on this system is causing it? @bandit8623 What version of Windows? Link to comment Share on other sites More sharing options...
Q-Droid 641 Posted October 17, 2022 Share Posted October 17, 2022 7 minutes ago, Happy2Play said: @Q-Droid I can say mine shows multiple weak ciphers but don't get an F as I don't get this OpenSSL issue. Where I get a C I will assume primarily for enable TLS 1.0 per there list. But will assume OP would get the same with Emby shutdown or ever uninstalled. As 8920 is just port forwarding to the Host machine. So the question becomes what on this system is causing it? @bandit8623 What version of Windows? Yes but 3DES is a broken and deprecated cipher and not quite the same as merely weak ones. I don't know why the Emby server would allow that downgrade unless there's a proxy (already said no) or something is seriously out of date or a regression. But you don't see it so that should rule out regression. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now