Jump to content

openSSL out of date

bandit8623

By bandit8623
in General/Windows

 Share

Recommended Posts

Happy2Play

Happy2Play   8296

Posted
Posted
4 hours ago, justinrh said:

@Happy2Play what do you get if Emby is configured with a well-known (TLS) port?

Changing Emby to 443 made no difference..

  • Like 1
Link to comment
Share on other sites
  • 9 months later...
rbjtech

rbjtech   4289

Posted
Posted (edited)

If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread.  nginx, caddy etc.  Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby.

Edited by rbjtech
  • Agree 1
Link to comment
Share on other sites
Q-Droid

Q-Droid   654

Posted
Posted (edited)
3 hours ago, rbjtech said:

If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread.  nginx, caddy etc.  Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby.

This is the way! Regardless of the Emby version and platform. Millions use Apache, nginx, Caddy, etc. in publicly facing sites/applications. They are heavily scrutinized and continually updated to fix security findings.  

 

Edited by Q-Droid
Link to comment
Share on other sites
bandit8623

bandit8623   48

Posted
  • Author
Posted
8 hours ago, rbjtech said:

If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread.  nginx, caddy etc.  Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby.

That's fine if that's what it takes currently.  But if you make a good product it should include all that in the app itself. 

  • Sad 1
Link to comment
Share on other sites
Luke Emby Team

Luke   37116

Posted
Posted
On 9/28/2023 at 1:59 PM, bandit8623 said:

That's fine if that's what it takes currently.  But if you make a good product it should include all that in the app itself. 

You're saying we should have our own reverse proxy built-in? I think that would turn us into bloatware.

Link to comment
Share on other sites
pwhodges

pwhodges   1533

Posted
Posted

No, he's saying that as you provide an https interface, he feels that you should ensure that it is as secure and up to date as that of the best purpose-made web servers.

Personally, I'd rather you concentrate on the media server and encourage us to use a specialised (and free!) reverse proxy if we want (and can justify) a higher level of security.  I'd even be happy if you removed the SSL stuff so that we had to use a reverse proxy to provide it!

Paul

  • Like 1
  • Agree 2
Link to comment
Share on other sites
bandit8623

bandit8623   48

Posted
  • Author
Posted (edited)
2 hours ago, Luke said:

You're saying we should have our own reverse proxy built-in? I think that would turn us into bloatware.

emby is a webserver.  but clearly its not secure on its own ( I think you should make it secure on its own).  you are making us do that part too.  on top of the ssl certs (cert i get are needed for us to host standalone).  

If a reverse proxy is needed for our servers to be secure then i would say you should require a reverse proxy...  when u add extra steps in the middle like this you open us up to security issues.

if you made emby a standalone and secure(no need for proxy) you now control how secure it is vs everyone doing it a different way.

Edited by bandit8623
Link to comment
Share on other sites
Luke Emby Team

Luke   37116

Posted
Posted
1 hour ago, bandit8623 said:

emby is a webserver.  but clearly its not secure on its own ( I think you should make it secure on its own).  you are making us do that part too.  on top of the ssl certs (cert i get are needed for us to host standalone).  

If a reverse proxy is needed for our servers to be secure then i would say you should require a reverse proxy...  when u add extra steps in the middle like this you open us up to security issues.

if you made emby a standalone and secure(no need for proxy) you now control how secure it is vs everyone doing it a different way.

A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file.

AllowRenegotiation

if you set it to false, then it won't be allowed and that last mention will go away.

  • Like 1
Link to comment
Share on other sites
bandit8623

bandit8623   48

Posted
  • Author
Posted
29 minutes ago, Luke said:

A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file.

AllowRenegotiation

if you set it to false, then it won't be allowed and that last mention will go away.

I appreciate your efforts! Thanks 

Link to comment
Share on other sites
bandit8623

bandit8623   48

Posted
  • Author
Posted
18 hours ago, Luke said:

A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file.

AllowRenegotiation

if you set it to false, then it won't be allowed and that last mention will go away.

image.png.98bdd5140f5ff9d2ce51992a1aa15120.png

image.png.478eb2e7589381d0cbd3dcc43929f7af.png

i also rebooted .  no change.  did i edit the right file?

Link to comment
Share on other sites
Luke Emby Team

Luke   37116

Posted
Posted
27 minutes ago, bandit8623 said:

build 51

image.png.93147bec73c2f4f6abc10e8db52b45a2.png

OK well there's not much documentation around this, so we may just have to wait on this until we update to .net 7 when it will be disabled out of the box.

  • Like 1
Link to comment
Share on other sites
bandit8623

bandit8623   48

Posted
  • Author
Posted
17 hours ago, Luke said:

OK well there's not much documentation around this, so we may just have to wait on this until we update to .net 7 when it will be disabled out of the box.

sounds good.  thx for looking into

  • Thanks 1
Link to comment
Share on other sites
  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...