openSSL out of date

[Happy2Play 8281]

4 minutes ago, Q-Droid said:

Yes but 3DES is a broken and deprecated cipher and not quite the same as merely weak ones. I don't know why the Emby server would allow that downgrade unless there's a proxy (already said no) or something is seriously out of date or a regression. But you don't see it so that should rule out regression.

 

How is this related to Emby at all as it is seeing Host machine ciphers?  As all I need to do is use something like IISCrypto and disable the cipher and TLS 1.0 to remove it as an issue and go from a C to A+. 

But doesn't help OP OpenSSL issue.

[bandit8623 48]

2 hours ago, Happy2Play said:

@Q-Droid I can say mine shows multiple weak ciphers but don't get an F as I don't get this OpenSSL issue.  Where I get a C I will assume primarily for enable TLS 1.0 per there list.

But will assume OP would get the same with Emby shutdown or ever uninstalled.  As 8920 is just port forwarding to the Host machine.  So the question becomes what on this system is causing it?

@bandit8623 What version of Windows?

If i dont have emby running the test fails to run.   server 2022

Edited October 17, 2022 by bandit8623

[Happy2Play 8281]

Only time I got that is when testing on a port that is not forwarded.

[Q-Droid 641]

8 hours ago, Happy2Play said:

How is this related to Emby at all as it is seeing Host machine ciphers?  As all I need to do is use something like IISCrypto and disable the cipher and TLS 1.0 to remove it as an issue and go from a C to A+. 

It's the combination of web server config and crypto lib that determines the cipher suites allowed and negotiated when establishing the connection. Since we as users have no control over the Emby web server then the option is to make sure the crypto libs are up to date. If Emby is using the defaults in the underlying components we can end up with these results if the software is outdated.

For example in Apache or nginx an ssl cipher suite directive value of 'HIGH' eliminates all of the DES, RC4, NULL, MD5 ciphers from the equation. But users can't control this in Emby.

Quote

But doesn't help OP OpenSSL issue.

Yeah, I see other 3DES tests that received "C" grade so it's not that cipher by itself causing the failure. The test is really giving that openssl vuln a lot of weight.

 

[Q-Droid 641]

6 hours ago, bandit8623 said:

If i dont have emby running the test fails to run.   server 2022

If Emby isn't running there's nothing listening at that address:port.

[bandit8623 48]

11 hours ago, Q-Droid said:

I think the real issue is this - TLS_RSA_WITH_3DES_EDE_CBC_SHA

That is a cipher that should definitely not be allowed. Your error might be a false report on what is really a bad cipher being allowed during negotiation. The stable version of Emby does not seem to include 3DES in the cipher suite.

Edit: I should add that I'm on Linux, not Windows, running stable and tested using Caddy with an EC cert and direct to Emby with an RSA cert. Neither allowed 3DES in the negotiation.

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA

I force denied this.  Now have b-.  But still original openssl issue persists 

Edited October 17, 2022 by bandit8623

[richt 73]

8 hours ago, Q-Droid said:

It's the combination of web server config and crypto lib that determines the cipher suites allowed and negotiated when establishing the connection. Since we as users have no control over the Emby web server then the option is to make sure the crypto libs are up to date. If Emby is using the defaults in the underlying components we can end up with these results if the software is outdated.

For example in Apache or nginx an ssl cipher suite directive value of 'HIGH' eliminates all of the DES, RC4, NULL, MD5 ciphers from the equation. But users can't control this in Emby.

Yeah, I see other 3DES tests that received "C" grade so it's not that cipher by itself causing the failure. The test is really giving that openssl vuln a lot of weight.

 

This is the exact reason why you want to run Apache or nginx as a reverse proxy in front of Emby when you are exposing it to an insecure network. I doubt the Emby devs will ever keep up with all the new and emerging vulnerabilities that can be blocked by a simple reverse proxy.  This is the type of solution I used in all the web based business apps I managed. Always assume that whatever security the app offers, a well managed reverse proxy is far superior.  Exposing an application to the Internet without a managed reverse proxy is an open invitation for your entire network to be hacked and risks the privacy of all your personal data stored anywhere on the network.

[Happy2Play 8281]

@richt Trying to understand here, but why is it not reproducible if it is a Emby issue?  As of now there is one user setup that sees an issue.  I have test on 5 different Window machines with varying versions without issue.  Unless there is something that only happens on Server 2022?

[Happy2Play 8281]

@Lukethis appears to be a Windows 11/Server 2022 issue as I have reproduced on Windows 11, but so far not on any older Windows version.

But no one on any non-Windows systems have confirmed or denied this issue shown on other platforms.

 

[richt 73]

@Happy2PlayDoubt I could really answer this as I have not (and will not) expose Emby (or any other app on my home network) to the Internet, so I haven't tested this issue.  (Just a little paranoid.)   A lot depends on how the PKCS #12 certificate was generated, but just as  important, what ciphers the Emby web server allows.  A reverse proxy like Apache or nginx can be configured to block old / vulnerable ciphers.

What are you using to perform the vulnerability scan?  Are all you 5 devices using the same TLS certificate?  How was it generated?  I might just get curious enough to test. 

[Happy2Play 8281]

5 minutes ago, richt said:

What are you using to perform the vulnerability scan?

Link in first post.

https://www.immuniweb.com/ssl/

 

5 minutes ago, richt said:

Are all you 5 devices using the same TLS certificate?  How was it generated?

Generate By WHS2011 vanity cert from GoDaddy xxxxxxxxxxxxx.homeserver.com but exact same applies to Server 2016 remote access cert.  But as mentioned in previous post this appear to apply to W11/Server 2022.  

[Happy2Play 8281]

@richt If it matters

RSA CERTIFICATE INFORMATION

Issuer

Go Daddy Secure Certificate Authority - G2

Trusted

Yes

Common Name

xxxxxxxxxxxxxxxxxxxxxxx-emby.homeserver.com

Key Type/Size

RSA 2048 bits

Signature Algorithm

sha256WithRSAEncryption

Subject Alternative Names

DNS:xxxxxxxxxxxxxxxxxxxxxxx-emby.homeserver.com, DNS:www.xxxxxxxxxxxxxxxxxxxxxx-emby.homeserver.com

Transparency

Yes

Validation Level

DV

CRL

http://crl.godaddy.com/gdig2s1-3441.crl

OCSP

http://ocsp.godaddy.com/

OCSP Must-Staple

No

Supports OCSP Stapling

Yes

Valid From

November 07, 2021 20:11 CET

Valid To

December 09, 2022 20:11 CET

CERTIFICATE CHAIN

Root CA

Go Daddy Root Certificate Authority - G2

Type/Size

RSA 2048 bits

Signature

sha256WithRSAEncryption

SHA256

45140b3247eb9cc8c5…e2749dd3aca9198eda

PIN

Ko8tivDrEjiY90yGas…wXvHqVvQI0GS3GNdA=

Expires in

5,554 days

Comment

Self-signed

Intermediate CA

Go Daddy Secure Certificate Authority - G2

Type/Size

RSA 2048 bits

Signature

sha256WithRSAEncryption

SHA256

973a41276ffd01e027…0b6712e33832041aa6

PIN

8Rw90Ej3Ttt8RRkrg+…S03bk5bjP/UXPtaY8=

Expires in

3,119 days

Comment

-

Server certificate

xxxxxxxxxxxxxxxxxxxxx-emby.homeserver.com

Type/Size

RSA 2048 bits

Signature

sha256WithRSAEncryption

SHA256

 

PIN

 

Expires in

53 days

Comment

-

Edited October 17, 2022 by Happy2Play

[TeamB 2352]

The issue being identified is not about the actual certificate used or how the certificate was generated

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449

It has identified that the tested system is using a vulnerable OpenSSL binary, not sure exactly how it determined this. Probably in the SSL handshake headers.

[bandit8623 48]

5 hours ago, richt said:

@Happy2PlayDoubt I could really answer this as I have not (and will not) expose Emby (or any other app on my home network) to the Internet, so I haven't tested this issue.  (Just a little paranoid.)   A lot depends on how the PKCS #12 certificate was generated, but just as  important, what ciphers the Emby web server allows.  A reverse proxy like Apache or nginx can be configured to block old / vulnerable ciphers.

What are you using to perform the vulnerability scan?  Are all you 5 devices using the same TLS certificate?  How was it generated?  I might just get curious enough to test. 

i was able to block block old / vulnerable ciphers on 2022,  but i cant figure out how to fix the issue at hand.  in generated my cert with open ssl 1.1.1.1q 

Edited October 18, 2022 by bandit8623

[Happy2Play 8281]

Is about Renegotiation changes in newer systems?  Or just hidden on older versions.

Windows 11

Previous Windows versions

[Happy2Play 8281]

Anyone find anything on this?  But can say doing the same test in jellyfin provides the same results.

[Luke 37060]

Are you still having an issue with this?

[Happy2Play 8281]

2 hours ago, Luke said:

Are you still having an issue with this?

In my tests no change

Windows 10 pass

Windows 11 fail

[bandit8623 48]

On 11/20/2022 at 12:54 PM, Luke said:

Are you still having an issue with this?

yes.  server 2022

[Luke 37060]

On 11/26/2022 at 3:55 PM, bandit8623 said:

yes.  server 2022

Are you on Windows?

[Happy2Play 8281]

@Luke yes that is Server 2022.  Where I get the same on Windows 11.

[bandit8623 48]

On 12/11/2022 at 9:02 PM, Luke said:

Are you on Windows?

server 2022.  same issue as happy on windows 11

[Luke 37060]

The odd thing is we are not embedding openssl on windows. The dotnet runtime might be but I thought it was only using it on Linux. I think whoever submitted the vulnerability happened to only test it with openssl but it probably occurs with other server software.

[Happy2Play 8281]

@Luketested this on Server 2022 VM with my cert in IIS and did not get the error (via 443) then tested with Cert in Emby and retested via Emby port (8919) and got the error.

Wonder if this will change in NET 7?

Breaking change: AllowRenegotiation default is false - .NET | Microsoft Learn

Not sure why we don't see this in previous Windows versions though?

 

[justinrh 174]

11 hours ago, Happy2Play said:

retested via Emby port (8919)

@Happy2Play what do you get if Emby is configured with a well-known (TLS) port?