Fmstrat 3 Posted May 5, 2015 Author Share Posted May 5, 2015 I don't know what you mean. The OP mentioned that ssl didn't work on his android client with an SSL cert. Using the same cert on Windows SSL worked. This points to an issue with mono or the way android interacts with mono. (The cert works in other words) The only thing we do to support SSL within the server is the two lines of code I pointed out, so it's unlikely to be in the socket listener library anywhere. Nevermind, I follow now. I just misread your response. Link to comment Share on other sites More sharing options...
psdl 5 Posted May 5, 2015 Share Posted May 5, 2015 Under Ubuntu, I decided to try using nginx as an SSL proxy. This works flawlessly with Android, and in fact is significantly faster than the SSL service built into Emby (from the web console). Here is the nginx config I'm using: server { listen 9999; server_name MYHOSTNAME.com; gzip on; gzip_proxied any; gzip_types text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/$ gzip_vary on; ssl on; ssl_certificate /opt/certs/certificate.combined.cer; ssl_certificate_key /opt/certs/ssl.decrypted.key; ssl_session_cache shared:SSL:10m; location / { proxy_pass http://localhost:8096; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect http://$host:$server_port https://$host:$server_port; } } I did this with plex. The problem is not all is send through the encrytped connection. Most likely the login screen is encrypted, but the stream an the graphics are not. Could you verify this ? Link to comment Share on other sites More sharing options...
Fmstrat 3 Posted May 5, 2015 Author Share Posted May 5, 2015 I did this with plex. The problem is not all is send through the encrytped connection. Most likely the login screen is encrypted, but the stream an the graphics are not. Could you verify this ? I don't have any HTTP firewall ports open, and it works for me. This is for Emby, not for Plex. Plex requires a MUCH more involved solution because it was not built to support SSL. You can use the work from jkiel and I here: https://github.com/Fmstrat/plex-ssl for Plex, but it is still not fullproof. You're much safer sticking with Emby and blocking HTTP altogether. Link to comment Share on other sites More sharing options...
psdl 5 Posted May 5, 2015 Share Posted May 5, 2015 That's why i switched to emby ! Then i will revamp my plex reverse proxy config for httpd to emby. 1 Link to comment Share on other sites More sharing options...
psdl 5 Posted May 5, 2015 Share Posted May 5, 2015 (edited) If anyone is interested. Here is my ReverseProxy conf for apache (httpd) <VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/</VirtualHost><VirtualHost *:443> ServerName example.com <Location /> AllowOverride AuthConfig AuthType Basic AuthName "Restricted Access" AuthBasicProvider file AuthUserFile /usr/share/httpd/passwd/.htpasswd.example.com Require user exampleuser </Location> <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EDH+aRSA+AES256:EECDH+aRSA+AES256 SSLHonorCipherOrder on SSLCompression off SSLCertificateFile /etc/pki/tls/certs/example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/example.com.key ProxyRequests Off ProxyPreserveHost On ProxyPass / http://localhost:8096/ ProxyPassReverse / http://localhost:8096/ RewriteEngine on RewriteCond %{REQUEST_URI} !^/mediabrowser RewriteRule ^/$ /mediabrowser/$1 [R,L] Edited May 5, 2015 by psdl 1 Link to comment Share on other sites More sharing options...
psdl 5 Posted May 6, 2015 Share Posted May 6, 2015 Sorry... my fault. There is a really big failure in my config. To really encrypt the ssl stream you need to enable the SSLProxyEngine and proxy the https through it. Also you need to put your ssl certificate in the config of emby and enable ssl encryption. So here the correct version: <VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/</VirtualHost><VirtualHost *:443> ServerName example.com <Location /> AllowOverride AuthConfig AuthType Basic AuthName "Restricted Access" AuthBasicProvider file AuthUserFile /usr/share/httpd/passwd/.htpasswd.example.com Require user exampleuser </Location> <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EDH+aRSA+AES256:EECDH+aRSA+AES256 SSLHonorCipherOrder on SSLCompression off SSLCertificateFile /etc/pki/tls/certs/example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/example.com.key SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On ProxyPass / https://localhost:8920/ ProxyPassReverse / https://localhost:8920/ RewriteEngine on RewriteCond %{REQUEST_URI} !^/mediabrowser RewriteRule ^/$ /mediabrowser/$1 [R,L] Please correct if you see any mistakes ! (my iPhone still does not play anything) Link to comment Share on other sites More sharing options...
shudder 1 Posted May 8, 2015 Share Posted May 8, 2015 (edited) Thanks for sharing your apache configuration. I had one in place as well but always felt that, even though the browser session was encrypted, the video stream itself was plain HTTP. I'm going to give yours a try. BTW, are you using the webclient or the app on your iPhone? Mine plays just fine using the webclient. Edited May 8, 2015 by shudder Link to comment Share on other sites More sharing options...
psdl 5 Posted May 8, 2015 Share Posted May 8, 2015 I am using the Webclient. But i am having still error on my MacBook and the iPhone isn't playing anything. But i think, it's because i am using the newest mono version (4.0.1). But i really don't know... Mono is... um... ;-) Link to comment Share on other sites More sharing options...
gsnerf 26 Posted May 8, 2015 Share Posted May 8, 2015 Sorry... my fault. There is a really big failure in my config. To really encrypt the ssl stream you need to enable the SSLProxyEngine and proxy the https through it. Also you need to put your ssl certificate in the config of emby and enable ssl encryption. So here the correct version: Please correct if you see any mistakes ! (my iPhone still does not play anything) For newer versions of emby the url-path seem to have changed from /mediabrowser to /web. Link to comment Share on other sites More sharing options...
shudder 1 Posted May 8, 2015 Share Posted May 8, 2015 I am using the Webclient. But i am having still error on my MacBook and the iPhone isn't playing anything. But i think, it's because i am using the newest mono version (4.0.1). But i really don't know... Mono is... um... ;-) Indeed, Mono could be a reason. Might be worth to add that I left out the .htaccess part from your config cause it kept asking me on each request. Don't need it either as I'm using Embys access control. Any specific reason you configured it? Link to comment Share on other sites More sharing options...
psdl 5 Posted May 8, 2015 Share Posted May 8, 2015 (edited) Of course... I'm a security pervert ! Just one question... could you delete your log files and restart your server and start to stream a movie through the web interface and then post your server_log ? That would be really nice, cause i am not sure if all errors are really errors. And another question. What are your directory rights and owners? Edited May 8, 2015 by psdl Link to comment Share on other sites More sharing options...
psdl 5 Posted May 9, 2015 Share Posted May 9, 2015 (edited) Here is an update on the situation with mono and my ssl certificate. Mono does not support TLS 1.2 nor Perfect Forward Secrecy (DH) ! That is the problem. So i am stuck, cause these are the ciphers used by my site. So, security is totally broken in mono. WTF. https://forums.xamarin.com/discussion/9098/weak-ciphers-with-ssl-tls More to read on people having problems with weak ciphers: https://github.com/KSP-CKAN/CKAN-support/issues/107 Tested mono with the following apache ssl config: SSLCipherSuite aRSA+AES256# SSLCipherSuite EDH+aRSA+AES256:EECDH+aRSA+AES256 <- my normal conf mono tlstest.exe https://mysite.com https://mysite.com success Damn ! Really... Microsoft Mono $§§&6... *beep* ... Edited May 9, 2015 by psdl Link to comment Share on other sites More sharing options...
Luke 37099 Posted May 9, 2015 Share Posted May 9, 2015 Yea but with Microsoft's backing you can expect mono to improve at a very rapid pace now. All of your assumptions about mono should be thrown out the window because in a few months I think it will be very different from what it is now. Link to comment Share on other sites More sharing options...
psdl 5 Posted May 9, 2015 Share Posted May 9, 2015 (edited) I wrote an email to Sebastien Pouliot who implemented tls libraries in mono. The last hope. https://github.com/spouliot For now i will use a weaker ssl certificate only for the emby port... Update: Doesn't work either. Edited May 10, 2015 by psdl Link to comment Share on other sites More sharing options...
Fmstrat 3 Posted May 14, 2015 Author Share Posted May 14, 2015 I wrote an email to Sebastien Pouliot who implemented tls libraries in mono. The last hope. https://github.com/spouliot For now i will use a weaker ssl certificate only for the emby port... Update: Doesn't work either. You could use the nginx config I posted earlier, which supports TLSv1.2? Until things get sorted in Emby I've found this to be reliable, and the web interface is faster than the built in SSL. Link to comment Share on other sites More sharing options...
bncbnc83 2 Posted May 24, 2015 Share Posted May 24, 2015 You could use the nginx config I posted earlier, which supports TLSv1.2? Until things get sorted in Emby I've found this to be reliable, and the web interface is faster than the built in SSL. Can i do that in docker, and do you know how to set it up ? Link to comment Share on other sites More sharing options...
sixtysix 1 Posted June 24, 2015 Share Posted June 24, 2015 Of course... I'm a security pervert ! Just one question... could you delete your log files and restart your server and start to stream a movie through the web interface and then post your server_log ? That would be really nice, cause i am not sure if all errors are really errors. And another question. What are your directory rights and owners? Hey psdl, I'm having problems getting emby to work with ssl and basic auth in a nginx reverse proxy on ubuntu. It looks like you have it working with apache. Doesn't emby's use of the authorization header conflict with your basic auth setting? Link to comment Share on other sites More sharing options...
Luke 37099 Posted August 25, 2016 Share Posted August 25, 2016 I believe this is resolved with mono 4.4.2. Can anyone try it out? thanks. Link to comment Share on other sites More sharing options...
liquidox 0 Posted August 28, 2016 Share Posted August 28, 2016 I believe this is resolved with mono 4.4.2. Can anyone try it out? thanks. Just ran into this topic. I have a brand new Emby setup, running on CentOS 7, Mono 4.4.2. Am unable to get HTTPS working with the built-in certificate thing: 2016-08-28 15:07:25.1964 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.1.121.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 4.4.6.1 Processor count: 4 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.4.2 (Stable 4.4.2.11/f72fe45 Mon Aug 8 22:33:00 UTC 2016) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe The authentication or decryption has failed. System.IO.IOException at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (IAsyncResult asyncResult) <0x41e36a50 + 0x00153> in <filename unknown>:0 at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsServer (IAsyncResult asyncResult) <0x42443bd0 + 0x0003e> in <filename unknown>:0 at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) <0x42441560 + 0x00055> in <filename unknown>:0 at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) <0x42441530 + 0x00022> in <filename unknown>:0 at Mono.Net.Security.Private.MonoSslStreamImpl.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) <0x42441390 + 0x0002b> in <filename unknown>:0 at System.Net.Security.SslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) <0x42441290 + 0x0002b> in <filename unknown>:0 at SocketHttpListener.Net.HttpConnection..ctor (ILogger logger, System.Net.Sockets.Socket sock, SocketHttpListener.Net.EndPointListener epl, Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert, System.String connectionId) <0x41d721a0 + 0x00263> in <filename unknown>:0 at SocketHttpListener.Net.EndPointListener.ProcessAccept (System.Net.Sockets.Socket accepted) <0x41d71b90 + 0x0010f> in <filename unknown>:0 InnerException: Mono.Security.Protocol.Tls.TlsException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (IAsyncResult asyncResult) <0x41e40460 + 0x00103> in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslServerStream.EndNegotiateHandshake (IAsyncResult asyncResult) <0x42443d30 + 0x0002b> in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) <0x41e995e0 + 0x0008d> in <filename unknown>:0 Link to comment Share on other sites More sharing options...
Luke 37099 Posted August 28, 2016 Share Posted August 28, 2016 I guess not then. The upcoming 4.6 has a TLS overhaul so I think there's a good chance that will resolve it: http://www.mono-project.com/docs/about-mono/releases/4.6.0/ Link to comment Share on other sites More sharing options...
Panderine 2 Posted September 2, 2016 Share Posted September 2, 2016 (edited) Hey psdl, I'm having problems getting emby to work with ssl and basic auth in a nginx reverse proxy on ubuntu. It looks like you have it working with apache. Doesn't emby's use of the authorization header conflict with your basic auth setting? basic auth and ssl (using nginx as a reverse proxy to local http emby ) is working BUT using web browser (not web app). I believe android app doesn't allow you to use basic auth. At least I'm not able to do it yet. Anyone make it? Edited September 2, 2016 by Panderine Link to comment Share on other sites More sharing options...
bvanaerde 0 Posted October 3, 2016 Share Posted October 3, 2016 (edited) I guess not then. The upcoming 4.6 has a TLS overhaul so I think there's a good chance that will resolve it: http://www.mono-project.com/docs/about-mono/releases/4.6.0/ I'm getting this error with Mono 4.6. Not sure how it's affecting me though... I was looking into the logs because the "scan media library" task was freezing, and I found this error: 2016-10-03 16:35:12.9123 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.0.7300.0 Command line: /var/packages/EmbyServer/target/server/MediaBrowser.Server.Mono.exe -package="synology" -programdata /var/packages/EmbyServer/target/var -ffmpeg /var/packages/EmbyServer/target/ffmpeg/bin/ffmpeg -ffprobe /var/packages/EmbyServer/target/ffmpeg/bin/ffprobe Operating system: Unix 3.10.77.0 Processor count: 4 64-Bit OS: True 64-Bit Process: True Program data path: /var/packages/EmbyServer/target/var Mono: 4.6.0 (Stable 4.6.0.245/746756c Mon Sep 26 07:17:10 CST 2016) Application Path: /volume1/@appstore/EmbyServer/releases/v3.0.7300/MediaBrowser.Server.Mono.exe The authentication or decryption has failed. System.IO.IOException at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (System.IAsyncResult asyncResult) [0x00057] in <78782669c99b48d9aeebe3c363ec7720>:0 at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsServer (System.IAsyncResult asyncResult) [0x00011] in <affe4060066c42de8cdd6027cdb92b56>:0 at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x0000e] in <affe4060066c42de8cdd6027cdb92b56>:0 at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) [0x00000] in <affe4060066c42de8cdd6027cdb92b56>:0 at Mono.Net.Security.Private.MonoSslStreamImpl.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) [0x00006] in <affe4060066c42de8cdd6027cdb92b56>:0 at System.Net.Security.SslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) [0x00006] in <affe4060066c42de8cdd6027cdb92b56>:0 at SocketHttpListener.Net.HttpConnection..ctor (Patterns.Logging.ILogger logger, System.Net.Sockets.Socket sock, SocketHttpListener.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert, System.String connectionId) [0x00064] in <c36adf296310417187772f811c8ab7f4>:0 at SocketHttpListener.Net.EndPointListener.ProcessAccept (System.Net.Sockets.Socket accepted) [0x00030] in <c36adf296310417187772f811c8ab7f4>:0 InnerException: System.NullReferenceException Object reference not set to an instance of an object at Mono.Security.Protocol.Tls.Handshake.Server.TlsServerHello.ProcessAsTls1 () [0x0009f] in <78782669c99b48d9aeebe3c363ec7720>:0 at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00037] in <78782669c99b48d9aeebe3c363ec7720>:0 at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process () at Mono.Security.Protocol.Tls.RecordProtocol.BeginSendRecord (Mono.Security.Protocol.Tls.Handshake.HandshakeType handshakeType, System.AsyncCallback callback, System.Object state) [0x00008] in <78782669c99b48d9aeebe3c363ec7720>:0 at Mono.Security.Protocol.Tls.RecordProtocol.SendRecord (Mono.Security.Protocol.Tls.Handshake.HandshakeType type) [0x00000] in <78782669c99b48d9aeebe3c363ec7720>:0 at Mono.Security.Protocol.Tls.SslServerStream.EndNegotiateHandshake (System.IAsyncResult asyncResult) [0x0002b] in <78782669c99b48d9aeebe3c363ec7720>:0 at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (System.IAsyncResult asyncResult) [0x0000c] in <78782669c99b48d9aeebe3c363ec7720>:0 Let me know if I can help in any way. Edited October 3, 2016 by bvanaerde Link to comment Share on other sites More sharing options...
Luke 37099 Posted October 3, 2016 Share Posted October 3, 2016 Interesting, thanks. I know there is a 4.6.1.3 so considering how new it is I would stay up to date. Also, it is only a few days old, it is quite possible we might have some adjustment to make on our side with the http server. thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now