SSL errrors with StartSSL cert

[Fmstrat 3]

I don't know what you mean. The OP mentioned that ssl didn't work on his android client with an SSL cert. Using the same cert on Windows SSL worked. This points to an issue with mono or the way android interacts with mono. (The cert works in other words) The only thing we do to support SSL within the server is the two lines of code I pointed out, so it's unlikely to be in the socket listener library anywhere.

 

Nevermind, I follow now. I just misread your response.

[psdl 5]

 

Under Ubuntu, I decided to try using nginx as an SSL proxy. This works flawlessly with Android, and in fact is significantly faster than the SSL service built into Emby (from the web console). Here is the nginx config I'm using:

server {
    listen 9999;
    server_name MYHOSTNAME.com;

    gzip             on;
    gzip_proxied     any;
    gzip_types       text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/$
    gzip_vary        on;

    ssl on;
    ssl_certificate /opt/certs/certificate.combined.cer;
    ssl_certificate_key /opt/certs/ssl.decrypted.key;
    ssl_session_cache shared:SSL:10m;

    location / {
        proxy_pass              http://localhost:8096;
        proxy_set_header        Host $host:$server_port;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect          http://$host:$server_port https://$host:$server_port;
    }
}

 I did this with plex. The problem is not all is send through the encrytped connection. Most likely the login screen is encrypted, but the stream an the graphics are not.

 

Could you verify this ?

[Fmstrat 3]

 I did this with plex. The problem is not all is send through the encrytped connection. Most likely the login screen is encrypted, but the stream an the graphics are not.

 

Could you verify this ?

 

I don't have any HTTP firewall ports open, and it works for me. This is for Emby, not for Plex. Plex requires a MUCH more involved solution because it was not built to support SSL. You can use the work from jkiel and I here: https://github.com/Fmstrat/plex-ssl for Plex, but it is still not fullproof. You're much safer sticking with Emby and blocking HTTP altogether.

[psdl 5]

That's why i switched to emby !

 

Then i will revamp my plex reverse proxy config for httpd to emby.

[psdl 5]

If anyone is interested. Here is my ReverseProxy conf for apache (httpd)

 

 

<VirtualHost *:80>
  ServerName example.com
  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com

  <Location />
    AllowOverride AuthConfig
    AuthType Basic
    AuthName "Restricted Access"
    AuthBasicProvider file
    AuthUserFile /usr/share/httpd/passwd/.htpasswd.example.com
    Require user exampleuser
  </Location>

  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

 

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite EDH+aRSA+AES256:EECDH+aRSA+AES256
  SSLHonorCipherOrder on
  SSLCompression off
  SSLCertificateFile /etc/pki/tls/certs/example.com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/example.com.key

  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://localhost:8096/
  ProxyPassReverse / http://localhost:8096/

  RewriteEngine on
  RewriteCond %{REQUEST_URI} !^/mediabrowser
  RewriteRule ^/$ /mediabrowser/$1 [R,L]

Edited May 5, 2015 by psdl

[psdl 5]

Sorry... my fault. There is a really big failure in my config. To really encrypt the ssl stream you need to enable the SSLProxyEngine and proxy the https through it. Also you need to put your ssl certificate in the config of emby and enable ssl encryption. So here the correct version:

 

 

<VirtualHost *:80>
  ServerName example.com
  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com

  <Location />
    AllowOverride AuthConfig
    AuthType Basic
    AuthName "Restricted Access"
    AuthBasicProvider file
    AuthUserFile /usr/share/httpd/passwd/.htpasswd.example.com
    Require user exampleuser
  </Location>

  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

 

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite EDH+aRSA+AES256:EECDH+aRSA+AES256
  SSLHonorCipherOrder on
  SSLCompression off
  SSLCertificateFile /etc/pki/tls/certs/example.com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/example.com.key

  SSLProxyEngine On

  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://localhost:8920/
  ProxyPassReverse / https://localhost:8920/

  RewriteEngine on
  RewriteCond %{REQUEST_URI} !^/mediabrowser
  RewriteRule ^/$ /mediabrowser/$1 [R,L]

 

Please correct if you see any mistakes !   (my iPhone still does not play anything)

[shudder 1]

Thanks for sharing your apache configuration.

I had one in place as well but always felt that, even though the browser session was encrypted,

the video stream itself was plain HTTP. I'm going to give yours a try.

 

BTW, are you using the webclient or the app on your iPhone?

Mine plays just fine using the webclient.

Edited May 8, 2015 by shudder

[psdl 5]

I am using the Webclient. But i am having still error on my MacBook and the iPhone isn't playing anything. But i think, it's because i am using the newest mono version (4.0.1). But i really don't know... Mono is... um... ;-)

[gsnerf 26]

Sorry... my fault. There is a really big failure in my config. To really encrypt the ssl stream you need to enable the SSLProxyEngine and proxy the https through it. Also you need to put your ssl certificate in the config of emby and enable ssl encryption. So here the correct version:

 

 

Please correct if you see any mistakes !   (my iPhone still does not play anything)

 

For newer versions of emby the url-path seem to have changed from /mediabrowser to /web.

[shudder 1]

I am using the Webclient. But i am having still error on my MacBook and the iPhone isn't playing anything. But i think, it's because i am using the newest mono version (4.0.1). But i really don't know... Mono is... um... ;-)

Indeed, Mono could be a reason.

Might be worth to add that I left out the .htaccess part from your config cause it kept asking me on each request. Don't need it either as I'm using Embys access control. Any specific reason you configured it?

[psdl 5]

Of course... I'm a security pervert !

 

Just one question... could you delete your log files and restart your server and start to stream a movie through the web interface and then post your server_log ? That would be really nice, cause i am not sure if all errors are really errors.

 

And another question. What are your directory rights and owners?

Edited May 8, 2015 by psdl

[psdl 5]

Here is an update on the situation with mono and my ssl certificate.

 

Mono does not support TLS 1.2 nor Perfect Forward Secrecy (DH) ! That is the problem. So i am stuck, cause these are the ciphers used by my site. So, security is totally broken in mono. WTF.

 

https://forums.xamarin.com/discussion/9098/weak-ciphers-with-ssl-tls

 

More to read on people having problems with weak ciphers:

 

https://github.com/KSP-CKAN/CKAN-support/issues/107

 

Tested mono with the following apache ssl config:

 

   SSLCipherSuite aRSA+AES256
#   SSLCipherSuite EDH+aRSA+AES256:EECDH+aRSA+AES256     <- my normal conf

 

mono tlstest.exe https://mysite.com

 

https://mysite.com success

 

Damn ! Really... Microsoft Mono $§§&6... *beep* ...

Edited May 9, 2015 by psdl

[Luke 37099]

Yea but with Microsoft's backing you can expect mono to improve at a very rapid pace now. All of your assumptions about mono should be thrown out the window because in a few months I think it will be very different from what it is now.

[psdl 5]

I wrote an email to Sebastien Pouliot who implemented tls libraries in mono. The last hope.

 

https://github.com/spouliot

 

For now i will use a weaker ssl certificate only for the emby port...

 

Update: Doesn't work either.

Edited May 10, 2015 by psdl

[Fmstrat 3]

I wrote an email to Sebastien Pouliot who implemented tls libraries in mono. The last hope.

 

https://github.com/spouliot

 

For now i will use a weaker ssl certificate only for the emby port...

 

Update: Doesn't work either.

 

You could use the nginx config I posted earlier, which supports TLSv1.2? Until things get sorted in Emby I've found this to be reliable, and the web interface is faster than the built in SSL.

[bncbnc83 2]

You could use the nginx config I posted earlier, which supports TLSv1.2? Until things get sorted in Emby I've found this to be reliable, and the web interface is faster than the built in SSL.

Can i do that in docker, and do you know how to set it up  ?

[sixtysix 1]

Of course... I'm a security pervert !

 

Just one question... could you delete your log files and restart your server and start to stream a movie through the web interface and then post your server_log ? That would be really nice, cause i am not sure if all errors are really errors.

 

And another question. What are your directory rights and owners?

 

Hey psdl, I'm having problems getting emby to work with ssl and basic auth in a nginx reverse proxy on ubuntu.  It looks like you have it working with apache.  Doesn't emby's use of the authorization header conflict with your basic auth setting?

[Luke 37099]

I believe this is resolved with mono 4.4.2. Can anyone try it out? thanks.

[liquidox 0]

I believe this is resolved with mono 4.4.2. Can anyone try it out? thanks.

 

Just ran into this topic. I have a brand new Emby setup, running on CentOS 7, Mono 4.4.2.

 

Am unable to get HTTPS working with the built-in certificate thing:

2016-08-28 15:07:25.1964 Error HttpServer: Error in ProcessAccept
        *** Error Report ***
        Version: 3.1.121.0
        Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh
        Operating system: Unix 4.4.6.1
        Processor count: 4
        64-Bit OS: True
        64-Bit Process: True
        Program data path: /var/lib/emby-server
        Mono: 4.4.2 (Stable 4.4.2.11/f72fe45 Mon Aug  8 22:33:00 UTC 2016)
        Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe
        The authentication or decryption has failed.
        System.IO.IOException
          at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (IAsyncResult asyncResult) <0x41e36a50 + 0x00153> in <filename unknown>:0
          at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsServer (IAsyncResult asyncResult) <0x42443bd0 + 0x0003e> in <filename unknown>:0
          at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) <0x42441560 + 0x00055> in <filename unknown>:0
          at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) <0x42441530 + 0x00022> in <filename unknown>:0
          at Mono.Net.Security.Private.MonoSslStreamImpl.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) <0x42441390 + 0x0002b> in <filename unknown>:0
          at System.Net.Security.SslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) <0x42441290 + 0x0002b> in <filename unknown>:0
          at SocketHttpListener.Net.HttpConnection..ctor (ILogger logger, System.Net.Sockets.Socket sock, SocketHttpListener.Net.EndPointListener epl, Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert, System.String connectionId) <0x41d721a0 + 0x00263> in <filename unknown>:0
          at SocketHttpListener.Net.EndPointListener.ProcessAccept (System.Net.Sockets.Socket accepted) <0x41d71b90 + 0x0010f> in <filename unknown>:0
        InnerException: Mono.Security.Protocol.Tls.TlsException
        The authentication or decryption has failed.
          at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (IAsyncResult asyncResult) <0x41e40460 + 0x00103> in <filename unknown>:0
          at Mono.Security.Protocol.Tls.SslServerStream.EndNegotiateHandshake (IAsyncResult asyncResult) <0x42443d30 + 0x0002b> in <filename unknown>:0
          at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) <0x41e995e0 + 0x0008d> in <filename unknown>:0

[Luke 37099]

I guess not then. The upcoming 4.6 has a TLS overhaul so I think there's a good chance that will resolve it:

http://www.mono-project.com/docs/about-mono/releases/4.6.0/

[Panderine 2]

Hey psdl, I'm having problems getting emby to work with ssl and basic auth in a nginx reverse proxy on ubuntu.  It looks like you have it working with apache.  Doesn't emby's use of the authorization header conflict with your basic auth setting?

 

basic auth and ssl (using nginx as a reverse proxy to local http emby ) is working BUT using web browser (not web app). I believe android app doesn't allow you to use basic auth. At least I'm not able to do it yet. Anyone make it?

Edited September 2, 2016 by Panderine

[bvanaerde 0]

I guess not then. The upcoming 4.6 has a TLS overhaul so I think there's a good chance that will resolve it:

http://www.mono-project.com/docs/about-mono/releases/4.6.0/

 

I'm getting this error with Mono 4.6. Not sure how it's affecting me though...

I was looking into the logs because the "scan media library" task was freezing, and I found this error:

2016-10-03 16:35:12.9123 Error HttpServer: Error in ProcessAccept
	*** Error Report ***
	Version: 3.0.7300.0
	Command line: /var/packages/EmbyServer/target/server/MediaBrowser.Server.Mono.exe -package="synology" -programdata /var/packages/EmbyServer/target/var -ffmpeg /var/packages/EmbyServer/target/ffmpeg/bin/ffmpeg -ffprobe /var/packages/EmbyServer/target/ffmpeg/bin/ffprobe
	Operating system: Unix 3.10.77.0
	Processor count: 4
	64-Bit OS: True
	64-Bit Process: True
	Program data path: /var/packages/EmbyServer/target/var
	Mono: 4.6.0 (Stable 4.6.0.245/746756c Mon Sep 26 07:17:10 CST 2016)
	Application Path: /volume1/@appstore/EmbyServer/releases/v3.0.7300/MediaBrowser.Server.Mono.exe
	The authentication or decryption has failed.
	System.IO.IOException
	  at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (System.IAsyncResult asyncResult) [0x00057] in <78782669c99b48d9aeebe3c363ec7720>:0 
	  at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsServer (System.IAsyncResult asyncResult) [0x00011] in <affe4060066c42de8cdd6027cdb92b56>:0 
	  at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x0000e] in <affe4060066c42de8cdd6027cdb92b56>:0 
	  at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) [0x00000] in <affe4060066c42de8cdd6027cdb92b56>:0 
	  at Mono.Net.Security.Private.MonoSslStreamImpl.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) [0x00006] in <affe4060066c42de8cdd6027cdb92b56>:0 
	  at System.Net.Security.SslStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate) [0x00006] in <affe4060066c42de8cdd6027cdb92b56>:0 
	  at SocketHttpListener.Net.HttpConnection..ctor (Patterns.Logging.ILogger logger, System.Net.Sockets.Socket sock, SocketHttpListener.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert, System.String connectionId) [0x00064] in <c36adf296310417187772f811c8ab7f4>:0 
	  at SocketHttpListener.Net.EndPointListener.ProcessAccept (System.Net.Sockets.Socket accepted) [0x00030] in <c36adf296310417187772f811c8ab7f4>:0 
	InnerException: System.NullReferenceException
	Object reference not set to an instance of an object
	  at Mono.Security.Protocol.Tls.Handshake.Server.TlsServerHello.ProcessAsTls1 () [0x0009f] in <78782669c99b48d9aeebe3c363ec7720>:0 
	  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00037] in <78782669c99b48d9aeebe3c363ec7720>:0 
	  at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
	  at Mono.Security.Protocol.Tls.RecordProtocol.BeginSendRecord (Mono.Security.Protocol.Tls.Handshake.HandshakeType handshakeType, System.AsyncCallback callback, System.Object state) [0x00008] in <78782669c99b48d9aeebe3c363ec7720>:0 
	  at Mono.Security.Protocol.Tls.RecordProtocol.SendRecord (Mono.Security.Protocol.Tls.Handshake.HandshakeType type) [0x00000] in <78782669c99b48d9aeebe3c363ec7720>:0 
	  at Mono.Security.Protocol.Tls.SslServerStream.EndNegotiateHandshake (System.IAsyncResult asyncResult) [0x0002b] in <78782669c99b48d9aeebe3c363ec7720>:0 
	  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (System.IAsyncResult asyncResult) [0x0000c] in <78782669c99b48d9aeebe3c363ec7720>:0 

Let me know if I can help in any way.

Edited October 3, 2016 by bvanaerde

[Luke 37099]

Interesting, thanks. I know there is a 4.6.1.3 so considering how new it is I would stay up to date. Also, it is only a few days old, it is quite possible we might have some adjustment to make on our side with the http server. thanks.