Happy2Play 8281 Posted October 17, 2022 Share Posted October 17, 2022 4 minutes ago, Q-Droid said: Yes but 3DES is a broken and deprecated cipher and not quite the same as merely weak ones. I don't know why the Emby server would allow that downgrade unless there's a proxy (already said no) or something is seriously out of date or a regression. But you don't see it so that should rule out regression. How is this related to Emby at all as it is seeing Host machine ciphers? As all I need to do is use something like IISCrypto and disable the cipher and TLS 1.0 to remove it as an issue and go from a C to A+. But doesn't help OP OpenSSL issue. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 17, 2022 Author Share Posted October 17, 2022 (edited) 2 hours ago, Happy2Play said: @Q-Droid I can say mine shows multiple weak ciphers but don't get an F as I don't get this OpenSSL issue. Where I get a C I will assume primarily for enable TLS 1.0 per there list. But will assume OP would get the same with Emby shutdown or ever uninstalled. As 8920 is just port forwarding to the Host machine. So the question becomes what on this system is causing it? @bandit8623 What version of Windows? If i dont have emby running the test fails to run. server 2022 Edited October 17, 2022 by bandit8623 Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 17, 2022 Share Posted October 17, 2022 Only time I got that is when testing on a port that is not forwarded. Link to comment Share on other sites More sharing options...
Q-Droid 641 Posted October 17, 2022 Share Posted October 17, 2022 8 hours ago, Happy2Play said: How is this related to Emby at all as it is seeing Host machine ciphers? As all I need to do is use something like IISCrypto and disable the cipher and TLS 1.0 to remove it as an issue and go from a C to A+. It's the combination of web server config and crypto lib that determines the cipher suites allowed and negotiated when establishing the connection. Since we as users have no control over the Emby web server then the option is to make sure the crypto libs are up to date. If Emby is using the defaults in the underlying components we can end up with these results if the software is outdated. For example in Apache or nginx an ssl cipher suite directive value of 'HIGH' eliminates all of the DES, RC4, NULL, MD5 ciphers from the equation. But users can't control this in Emby. Quote But doesn't help OP OpenSSL issue. Yeah, I see other 3DES tests that received "C" grade so it's not that cipher by itself causing the failure. The test is really giving that openssl vuln a lot of weight. Link to comment Share on other sites More sharing options...
Q-Droid 641 Posted October 17, 2022 Share Posted October 17, 2022 6 hours ago, bandit8623 said: If i dont have emby running the test fails to run. server 2022 If Emby isn't running there's nothing listening at that address:port. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 17, 2022 Author Share Posted October 17, 2022 (edited) 11 hours ago, Q-Droid said: I think the real issue is this - TLS_RSA_WITH_3DES_EDE_CBC_SHA That is a cipher that should definitely not be allowed. Your error might be a false report on what is really a bad cipher being allowed during negotiation. The stable version of Emby does not seem to include 3DES in the cipher suite. Edit: I should add that I'm on Linux, not Windows, running stable and tested using Caddy with an EC cert and direct to Emby with an RSA cert. Neither allowed 3DES in the negotiation. TLS_RSA_WITH_3DES_EDE_CBC_SHA I force denied this. Now have b-. But still original openssl issue persists Edited October 17, 2022 by bandit8623 Link to comment Share on other sites More sharing options...
richt 73 Posted October 17, 2022 Share Posted October 17, 2022 8 hours ago, Q-Droid said: It's the combination of web server config and crypto lib that determines the cipher suites allowed and negotiated when establishing the connection. Since we as users have no control over the Emby web server then the option is to make sure the crypto libs are up to date. If Emby is using the defaults in the underlying components we can end up with these results if the software is outdated. For example in Apache or nginx an ssl cipher suite directive value of 'HIGH' eliminates all of the DES, RC4, NULL, MD5 ciphers from the equation. But users can't control this in Emby. Yeah, I see other 3DES tests that received "C" grade so it's not that cipher by itself causing the failure. The test is really giving that openssl vuln a lot of weight. This is the exact reason why you want to run Apache or nginx as a reverse proxy in front of Emby when you are exposing it to an insecure network. I doubt the Emby devs will ever keep up with all the new and emerging vulnerabilities that can be blocked by a simple reverse proxy. This is the type of solution I used in all the web based business apps I managed. Always assume that whatever security the app offers, a well managed reverse proxy is far superior. Exposing an application to the Internet without a managed reverse proxy is an open invitation for your entire network to be hacked and risks the privacy of all your personal data stored anywhere on the network. 1 Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 17, 2022 Share Posted October 17, 2022 @richt Trying to understand here, but why is it not reproducible if it is a Emby issue? As of now there is one user setup that sees an issue. I have test on 5 different Window machines with varying versions without issue. Unless there is something that only happens on Server 2022? Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 17, 2022 Share Posted October 17, 2022 @Lukethis appears to be a Windows 11/Server 2022 issue as I have reproduced on Windows 11, but so far not on any older Windows version. But no one on any non-Windows systems have confirmed or denied this issue shown on other platforms. 1 Link to comment Share on other sites More sharing options...
richt 73 Posted October 17, 2022 Share Posted October 17, 2022 @Happy2PlayDoubt I could really answer this as I have not (and will not) expose Emby (or any other app on my home network) to the Internet, so I haven't tested this issue. (Just a little paranoid.) A lot depends on how the PKCS #12 certificate was generated, but just as important, what ciphers the Emby web server allows. A reverse proxy like Apache or nginx can be configured to block old / vulnerable ciphers. What are you using to perform the vulnerability scan? Are all you 5 devices using the same TLS certificate? How was it generated? I might just get curious enough to test. Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 17, 2022 Share Posted October 17, 2022 5 minutes ago, richt said: What are you using to perform the vulnerability scan? Link in first post. https://www.immuniweb.com/ssl/ 5 minutes ago, richt said: Are all you 5 devices using the same TLS certificate? How was it generated? Generate By WHS2011 vanity cert from GoDaddy xxxxxxxxxxxxx.homeserver.com but exact same applies to Server 2016 remote access cert. But as mentioned in previous post this appear to apply to W11/Server 2022. Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 17, 2022 Share Posted October 17, 2022 (edited) @richt If it matters RSA CERTIFICATE INFORMATION Issuer Go Daddy Secure Certificate Authority - G2 Trusted Yes Common Name xxxxxxxxxxxxxxxxxxxxxxx-emby.homeserver.com Key Type/Size RSA 2048 bits Signature Algorithm sha256WithRSAEncryption Subject Alternative Names DNS:xxxxxxxxxxxxxxxxxxxxxxx-emby.homeserver.com, DNS:www.xxxxxxxxxxxxxxxxxxxxxx-emby.homeserver.com Transparency Yes Validation Level DV CRL http://crl.godaddy.com/gdig2s1-3441.crl OCSP http://ocsp.godaddy.com/ OCSP Must-Staple No Supports OCSP Stapling Yes Valid From November 07, 2021 20:11 CET Valid To December 09, 2022 20:11 CET CERTIFICATE CHAIN Root CA Go Daddy Root Certificate Authority - G2 Type/Size RSA 2048 bits Signature sha256WithRSAEncryption SHA256 45140b3247eb9cc8c5…e2749dd3aca9198eda PIN Ko8tivDrEjiY90yGas…wXvHqVvQI0GS3GNdA= Expires in 5,554 days Comment Self-signed Intermediate CA Go Daddy Secure Certificate Authority - G2 Type/Size RSA 2048 bits Signature sha256WithRSAEncryption SHA256 973a41276ffd01e027…0b6712e33832041aa6 PIN 8Rw90Ej3Ttt8RRkrg+…S03bk5bjP/UXPtaY8= Expires in 3,119 days Comment - Server certificate xxxxxxxxxxxxxxxxxxxxx-emby.homeserver.com Type/Size RSA 2048 bits Signature sha256WithRSAEncryption SHA256 PIN Expires in 53 days Comment - Edited October 17, 2022 by Happy2Play Link to comment Share on other sites More sharing options...
TeamB 2352 Posted October 17, 2022 Share Posted October 17, 2022 The issue being identified is not about the actual certificate used or how the certificate was generated https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449 It has identified that the tested system is using a vulnerable OpenSSL binary, not sure exactly how it determined this. Probably in the SSL handshake headers. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 18, 2022 Author Share Posted October 18, 2022 (edited) 5 hours ago, richt said: @Happy2PlayDoubt I could really answer this as I have not (and will not) expose Emby (or any other app on my home network) to the Internet, so I haven't tested this issue. (Just a little paranoid.) A lot depends on how the PKCS #12 certificate was generated, but just as important, what ciphers the Emby web server allows. A reverse proxy like Apache or nginx can be configured to block old / vulnerable ciphers. What are you using to perform the vulnerability scan? Are all you 5 devices using the same TLS certificate? How was it generated? I might just get curious enough to test. i was able to block block old / vulnerable ciphers on 2022, but i cant figure out how to fix the issue at hand. in generated my cert with open ssl 1.1.1.1q Edited October 18, 2022 by bandit8623 Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 18, 2022 Share Posted October 18, 2022 Is about Renegotiation changes in newer systems? Or just hidden on older versions. Windows 11 Previous Windows versions Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted October 25, 2022 Share Posted October 25, 2022 Anyone find anything on this? But can say doing the same test in jellyfin provides the same results. Link to comment Share on other sites More sharing options...
Luke 37060 Posted November 20, 2022 Share Posted November 20, 2022 Are you still having an issue with this? Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted November 20, 2022 Share Posted November 20, 2022 2 hours ago, Luke said: Are you still having an issue with this? In my tests no change Windows 10 pass Windows 11 fail Link to comment Share on other sites More sharing options...
bandit8623 48 Posted November 26, 2022 Author Share Posted November 26, 2022 On 11/20/2022 at 12:54 PM, Luke said: Are you still having an issue with this? yes. server 2022 Link to comment Share on other sites More sharing options...
Luke 37060 Posted December 12, 2022 Share Posted December 12, 2022 On 11/26/2022 at 3:55 PM, bandit8623 said: yes. server 2022 Are you on Windows? Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted December 12, 2022 Share Posted December 12, 2022 @Luke yes that is Server 2022. Where I get the same on Windows 11. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted December 13, 2022 Author Share Posted December 13, 2022 On 12/11/2022 at 9:02 PM, Luke said: Are you on Windows? server 2022. same issue as happy on windows 11 Link to comment Share on other sites More sharing options...
Luke 37060 Posted December 13, 2022 Share Posted December 13, 2022 The odd thing is we are not embedding openssl on windows. The dotnet runtime might be but I thought it was only using it on Linux. I think whoever submitted the vulnerability happened to only test it with openssl but it probably occurs with other server software. Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted December 22, 2022 Share Posted December 22, 2022 @Luketested this on Server 2022 VM with my cert in IIS and did not get the error (via 443) then tested with Cert in Emby and retested via Emby port (8919) and got the error. Wonder if this will change in NET 7? Breaking change: AllowRenegotiation default is false - .NET | Microsoft Learn Not sure why we don't see this in previous Windows versions though? 2 Link to comment Share on other sites More sharing options...
justinrh 174 Posted December 22, 2022 Share Posted December 22, 2022 11 hours ago, Happy2Play said: retested via Emby port (8919) @Happy2Play what do you get if Emby is configured with a well-known (TLS) port? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now