openSSL out of date

[bandit8623 48]

doing security checks im getting this.

Your server is using a outdated version of OpenSSL vulnerable to denial of service attack. Urgently update OpenSSL to version 1.1.1k or newer.

https://www.immuniweb.com/ssl/

when will this be updated?

[visproduction 122]

Bandit,
Ssl is a registration on your domain and it is under your control.  Updating is up to you.  Emby can run with a domain when your individual SSL setup is correct.  I don't think there is anything in Emby to update.  It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain.

Edited October 16, 2022 by visproduction

[Happy2Play 8281]

18 minutes ago, bandit8623 said:

doing security checks im getting this.

Your server is using a outdated version of OpenSSL vulnerable to denial of service attack. Urgently update OpenSSL to version 1.1.1k or newer.

https://www.immuniweb.com/ssl/

when will this be updated?

Sorry I don't follow, what does this have to do with Emby?

[pwhodges 1527]

Presumably Emby's https (ssl) option uses OpenSSL.

Paul

[pwhodges 1527]

17 minutes ago, visproduction said:

Bandit,
Ssl is a registration on your domain and it is under your control.  Updating is up to you.  Emby can run with a domain when your individual SSL setup is correct.  I don't there is anything in Emby to update.  It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain.

Er, no. You're talking about certificates - he's talking about the code in the server which checks and uses the certificates - handling the ssl which https is based on.

Paul

[bandit8623 48]

1 hour ago, Happy2Play said:

Sorry I don't follow, what does this have to do with Emby?

emby uses openssl.  the version is baked into the server.  we or i have no control.

[Luke 37060]

Hi, what version of emby server do you have?

[Happy2Play 8281]

Still confused here as I get this on both 4.7.8.0 and 4.8.0.12 servers testing on that site.

Wouldn't this be a system, not a Emby issue?  As the openssl files in system folder appear to be .NET signed by Microsoft.

someone else's SSL test on test site as the site is not testing Emby any way that I know of.

Edited October 16, 2022 by Happy2Play

[bandit8623 48]

21 hours ago, Luke said:

Hi, what version of emby server do you have?

latest beta 4.8.0.12

Edited October 16, 2022 by bandit8623
added ver

[TeamB 2352]

are you accessing Emby directly or through a reverse proxy

Edited October 16, 2022 by TeamB

[bandit8623 48]

20 hours ago, TeamB said:

are you accessing Emby directly or through a reverse proxy

talking to me?  im just running the test from that link directly to my server.   

direct no proxy

Edited October 16, 2022 by bandit8623

[Happy2Play 8281]

3 hours ago, bandit8623 said:

talking to me?  im just running the test from that link directly to my server.   

But the test is against SSL not Emby from my understanding.  Just like the score you get is against your System settings.  But it passes on all my Windows systems.

6 hours ago, bandit8623 said:

8 hours ago, Luke said:

Hi, what version of emby server do you have?

latest beta

What platform?

[bandit8623 48]

9 hours ago, Happy2Play said:

But the test is against SSL not Emby from my understanding.  Just like the score you get is against your System settings.  But it passes on all my Windows systems.

What platform?

Windows.  So if you are not having the issue then it has to be how I created my cert then. 

[Happy2Play 8281]

2 minutes ago, bandit8623 said:

Windows.  So if you are not having the issue then it has to be how I created my cert then. 

I am no expert on this but could be.  I have WHS2011/Server 2016 GoDaddy custom cert that comes with the servers.  

As for Emby it is on a Windows 10 machine with a copy of the servers SSL.  So https goes to server while https Emby port goes to Windows 10.

I would assume if your cert was on any machine or shutdown or uninstalled Emby you would get this vulnerability.

[bandit8623 48]

2 hours ago, Happy2Play said:

I am no expert on this but could be.  I have WHS2011/Server 2016 GoDaddy custom cert that comes with the servers.  

As for Emby it is on a Windows 10 machine with a copy of the servers SSL.  So https goes to server while https Emby port goes to Windows 10.

I would assume if your cert was on any machine or shutdown or uninstalled Emby you would get this vulnerability.

i redid my cert with updated openssl 1.1.1.1q  .  and i still get the vulnerabiltyy problem.  when doing your test are you adding the port to your emby server?  example my ip address 1.1.1.1:8920

Edited October 16, 2022 by bandit8623
added pic

[Happy2Play 8281]

Just now, bandit8623 said:

i redid my cert with updated openssl 1.1.1.1q  .  and i still get the vulnerabiltyy problem.  when doing your test are you adding the port to your emby server?  example my ip address 1.1.1.1:8920

I did both and get slightly different results on each, but both do not show the vulnerability.

Summary of xxxxxxxxxxxxxxx.homeserver.com:443 (HTTPS) SSL Security Test (WHS2011 server that controls the certificate)

Summary of xxxxxxxxxxxxxxx.homeserver.com:8920 (N/A) SSL Security Test (Windows 10 with SSL cert in Emby)

[justinrh 174]

17 hours ago, bandit8623 said:

20 hours ago, TeamB said:

are you accessing Emby directly or through a reverse proxy

talking to me?  im just running the test from that link directly to my server. 

@bandit8623 He is talking to you.  He is asking if DNS is pointed directly to the server or to a reverse proxy where the proxy forwards traffic to your Emby server.

[bandit8623 48]

2 minutes ago, justinrh said:

@bandit8623 He is talking to you.  He is asking if DNS is pointed directly to the server or to a reverse proxy where the proxy forwards traffic to your Emby server.

directly to server.

[bandit8623 48]

On 10/15/2022 at 5:29 PM, visproduction said:

Bandit,
Ssl is a registration on your domain and it is under your control.  Updating is up to you.  Emby can run with a domain when your individual SSL setup is correct.  I don't think there is anything in Emby to update.  It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain.

i have my ssl cert fully setup.  i used openssl 1.1.1.1q to combine the pem files.  i am able to connect remotely just fine.  just getting that vulnerability error check

[Q-Droid 641]

2 hours ago, bandit8623 said:

i redid my cert with updated openssl 1.1.1.1q  .  and i still get the vulnerabiltyy problem.  when doing your test are you adding the port to your emby server?  example my ip address 1.1.1.1:8920

If you're getting an F then you have more problems than a single mid-range score vulnerability. I suspect you're focusing on the wrong things from the report.

 

[bandit8623 48]

14 minutes ago, Q-Droid said:

If you're getting an F then you have more problems than a single mid-range score vulnerability. I suspect you're focusing on the wrong things from the report.

 

No.  i got an F because of this issue.

this is the only other attention item.

 

Edited October 17, 2022 by bandit8623

[Happy2Play 8281]

I would think everyone's system would get this if it were a Emby issue.  But don't really have any idea what it could be though as I can't replicate on 4 different Windows versions on stable or beta servers.

[Q-Droid 641]

I think the real issue is this - TLS_RSA_WITH_3DES_EDE_CBC_SHA

That is a cipher that should definitely not be allowed. Your error might be a false report on what is really a bad cipher being allowed during negotiation. The stable version of Emby does not seem to include 3DES in the cipher suite.

Edit: I should add that I'm on Linux, not Windows, running stable and tested using Caddy with an EC cert and direct to Emby with an RSA cert. Neither allowed 3DES in the negotiation.

 

Edited October 17, 2022 by Q-Droid

[Happy2Play 8281]

@Q-Droid I can say mine shows multiple weak ciphers but don't get an F as I don't get this OpenSSL issue.  Where I get a C I will assume primarily for enable TLS 1.0 per there list.

But will assume OP would get the same with Emby shutdown or ever uninstalled.  As 8920 is just port forwarding to the Host machine.  So the question becomes what on this system is causing it?

@bandit8623 What version of Windows?

[Q-Droid 641]

7 minutes ago, Happy2Play said:

@Q-Droid I can say mine shows multiple weak ciphers but don't get an F as I don't get this OpenSSL issue.  Where I get a C I will assume primarily for enable TLS 1.0 per there list.

But will assume OP would get the same with Emby shutdown or ever uninstalled.  As 8920 is just port forwarding to the Host machine.  So the question becomes what on this system is causing it?

@bandit8623 What version of Windows?

Yes but 3DES is a broken and deprecated cipher and not quite the same as merely weak ones. I don't know why the Emby server would allow that downgrade unless there's a proxy (already said no) or something is seriously out of date or a regression. But you don't see it so that should rule out regression.