Jump to content
blaize9

The authentication or decryption has failed. [V 3.0.5621.4]

Recommended Posts

blaize9

httpClient.Get was sending requests using SSLv3, however that was unsupported by the server(CloudFlare) which caused the request to fail.

SSLv3 Should not be used, due to the POODLE attack and is insecure.

 

Edit: Looks like there is something else causing it to fail when sending requests to CloudFlare.

Error: SendFailure (Error writing headers)
	System.Net.WebException
	  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
	  at System.Threading.Tasks.TaskFactory`1[System.Net.WebResponse].InnerInvoke (System.Threading.Tasks.TaskCompletionSource`1 tcs, System.Func`2 endMethod, IAsyncResult l) [0x00000] in <filename unknown>:0
	InnerException: System.Net.WebException
	Error writing headers
	InnerException: System.IO.IOException
	The authentication or decryption has failed.
	  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0
	  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
	InnerException: Mono.Security.Protocol.Tls.TlsException
	The authentication or decryption has failed.
	  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0
	  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0

This is currently not fixed!

emby-freenas.log

Edited by blaize9

Share this post


Link to post
Share on other sites
josh4trunks

@@Luke where in the stack is openssl being used? do you know if this library is somehow packaged in during compile time?

I can rebuild mono/emby with the latest version of openssl if that would fix things.

 

by default it uses the version installed with the base OS (openssl v0.9.8 in FreeBSD v9.3)

  • Like 1

Share this post


Link to post
Share on other sites
Luke

It's not being used directly by us, so perhaps mono is calling it. Might be a better question for @@woodsb02, just in case there's something particular to the bsd mono port.

  • Like 1

Share this post


Link to post
Share on other sites
woodsb02

Unfortunately the FreeBSD mono port does not have the option to build with the version of OpenSSL (or LibreSSL) from ports. As you said @@josh4trunks, it must just be using the version from FreeBSD base.

  • Like 1

Share this post


Link to post
Share on other sites
blaize9

Ok after going back and thinking about it, I forgot to check if bakabt.info supports SSLv3 which it does not (good due to POODLE attack) but this creates a problem where the request is unable to go through because it is looking for SSLv3 blah blah.

 

To confirm this was the Issue I created another domain that supports TLS1.2, TLS1.1, TLS1.0, SSLv3 and it connected successfully.

So would it be possible to force httpClient.Get or whatever that requests https pages to use TLS and fallback to SSLv3 if unsupported?

 

@@Luke @@woodsb02 @@josh4trunks

Edited by blaize9

Share this post


Link to post
Share on other sites
josh4trunks

Unfortunately the FreeBSD mono port does not have the option to build with the version of OpenSSL (or LibreSSL) from ports. As you said @@josh4trunks, it must just be using the version from FreeBSD base.

wouldn't the standard "WITH_OPENSSL_PORT=yes" work?

that's what I've done with several other plugins that needed newer versions of openssl.

Share this post


Link to post
Share on other sites
blaize9

wouldn't the standard "WITH_OPENSSL_PORT=yes" work?

that's what I've done with several other plugins that needed newer versions of openssl.

I believe that would fix it, but it would cause more issues for everyone in general because they need to set that in make.conf

Then if they don't do that they will get a similar handshake error. then they would make a thread and it would be more work for everyone.

https://bugs.freenas.org/issues/7693

 

Update:

Using OpenSSL 1.0.2c 12 Jun 2015 in emby freenas jail I could only retrieve the page when it was not hidden behind CloudFlare for HTTPS requests.

Found the same issue when tested inside emby.

 

Similar

    Does not support WindowsXP/IE6 (SNI Required)

    ONLY Supports TLS 1.0|1.1|1.2

 

Direct

    StartCom Certification Authority

    KEY - RSA 4096 bits

    Supported more Cipher Suites (http://pastebin.com/raw.php?i=yv1mjr07) VS (http://pastebin.com/raw.php?i=pw3h6RtY)

    OCSP stapling NO

CF

    COMODO ECC Certification

    KEY - EC 256 bits

    Session resumption (caching) NO

    Session resumption (tickets) YES

    NPN also supports spdy/3.1

Edited by blaize9

Share this post


Link to post
Share on other sites
josh4trunks

I believe that would fix it, but it would cause more issues for everyone in general because they need to set that in make.conf

Then if they don't do that they will get a similar handshake error. then they would make a thread and it would be more work for everyone.

https://bugs.freenas.org/issues/7693

 

Update:

Using OpenSSL 1.0.2c 12 Jun 2015 in emby freenas jail I could only retrieve the page when it was not hidden behind CloudFlare for HTTPS requests.

Found the same issue when tested inside emby.

 

Similar

Does not support WindowsXP/IE6 (SNI Required)

ONLY Supports TLS 1.0|1.1|1.2

 

Direct

StartCom Certification Authority

KEY - RSA 4096 bits

Supported more Cipher Suites (http://pastebin.com/raw.php?i=yv1mjr07) VS (http://pastebin.com/raw.php?i=pw3h6RtY)

OCSP stapling NO

CF

COMODO ECC Certification

KEY - EC 256 bits

Session resumption (caching) NO

Session resumption (tickets) YES

NPN also supports spdy/3.1

for the other plugins that setting only needs to be set during compile time, not on plugin user's systems. next emby update I can post a test build and you guys can verify if it fixed it.
  • Like 1

Share this post


Link to post
Share on other sites
blaize9

for the other plugins that setting only needs to be set during compile time, not on plugin user's systems. next emby update I can post a test build and you guys can verify if it fixed it.

Could you send me a notification/mention when you get that build done.

Thanks!

Share this post


Link to post
Share on other sites
josh4trunks

Could you send me a notification/mention when you get that build done.

Thanks!

Will do. I'll build it as soon as a new emby version is out.

Share this post


Link to post
Share on other sites
blaize9

@@blaize9 can you test out this PBI and tell me if you can reproduce the issue? Thanks

https://www.jruehlig.com/owncloud/index.php/s/E4D6edZoy4jBNMI

Looks like I still have the same issue.

	Error: SendFailure (Error writing headers)
	System.Net.WebException
	  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
	  at System.Threading.Tasks.TaskFactory`1[System.Net.WebResponse].InnerInvoke (System.Threading.Tasks.TaskCompletionSource`1 tcs, System.Func`2 endMethod, IAsyncResult l) [0x00000] in <filename unknown>:0 
	InnerException: System.Net.WebException
	Error writing headers
	InnerException: System.IO.IOException
	The authentication or decryption has failed.
	  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 
	  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
	InnerException: Mono.Security.Protocol.Tls.TlsException
	The authentication or decryption has failed.
	  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 
	  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
	

Share this post


Link to post
Share on other sites
josh4trunks

 

Looks like I still have the same issue.

	Error: SendFailure (Error writing headers)
	System.Net.WebException
	  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
	  at System.Threading.Tasks.TaskFactory`1[System.Net.WebResponse].InnerInvoke (System.Threading.Tasks.TaskCompletionSource`1 tcs, System.Func`2 endMethod, IAsyncResult l) [0x00000] in <filename unknown>:0 
	InnerException: System.Net.WebException
	Error writing headers
	InnerException: System.IO.IOException
	The authentication or decryption has failed.
	  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 
	  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
	InnerException: Mono.Security.Protocol.Tls.TlsException
	The authentication or decryption has failed.
	  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 
	  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
	
Thanks for checking. I may try a fix that I needed for the Sonarr plugin. Basically mono needs a writable place for its certificate store.

 

If this does fix it, @@woodsb02 we should integrate it into the FreeBSD port.

Share this post


Link to post
Share on other sites
woodsb02

Agreed. What's your thoughts? Give the emby user a home directory so it can get the certificates?

 

To confirm: did you try building mono with OpenSSL from ports? Did it work (do the build scripts appear to link against OpenSSL from ports)?

Share this post


Link to post
Share on other sites
blaize9

Agreed. What's your thoughts? Give the emby user a home directory so it can get the certificates?

 

To confirm: did you try building mono with OpenSSL from ports? Did it work (do the build scripts appear to link against OpenSSL from ports)?

 

Here is the installation process I used http://pastebin.com/0RfMwEJS

I'm not sure if that will answer your question, or if that was even directed at me but that was my installation process of openssl.

Edited by blaize9

Share this post


Link to post
Share on other sites
josh4trunks

Agreed. What's your thoughts? Give the emby user a home directory so it can get the certificates?

 

To confirm: did you try building mono with OpenSSL from ports? Did it work (do the build scripts appear to link against OpenSSL from ports)?

Nope, I think all we need to do is the below in the start_precmd routie

export XDG_CONFIG_HOME=${%%RC_NAME%%_data_dir}

Yes, built it with openssl from ports.

Edited by josh4trunks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...