blaize9 3 Posted June 11, 2015 Posted June 11, 2015 (edited) httpClient.Get was sending requests using SSLv3, however that was unsupported by the server(CloudFlare) which caused the request to fail. SSLv3 Should not be used, due to the POODLE attack and is insecure. Edit: Looks like there is something else causing it to fail when sending requests to CloudFlare. Error: SendFailure (Error writing headers) System.Net.WebException at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 at System.Threading.Tasks.TaskFactory`1[System.Net.WebResponse].InnerInvoke (System.Threading.Tasks.TaskCompletionSource`1 tcs, System.Func`2 endMethod, IAsyncResult l) [0x00000] in <filename unknown>:0 InnerException: System.Net.WebException Error writing headers InnerException: System.IO.IOException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 InnerException: Mono.Security.Protocol.Tls.TlsException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 This is currently not fixed! emby-freenas.log Edited June 20, 2015 by blaize9
josh4trunks 70 Posted June 11, 2015 Posted June 11, 2015 @@Luke where in the stack is openssl being used? do you know if this library is somehow packaged in during compile time? I can rebuild mono/emby with the latest version of openssl if that would fix things. by default it uses the version installed with the base OS (openssl v0.9.8 in FreeBSD v9.3) 1
Luke 38841 Posted June 11, 2015 Posted June 11, 2015 It's not being used directly by us, so perhaps mono is calling it. Might be a better question for @@woodsb02, just in case there's something particular to the bsd mono port. 1
woodsb02 17 Posted June 11, 2015 Posted June 11, 2015 Unfortunately the FreeBSD mono port does not have the option to build with the version of OpenSSL (or LibreSSL) from ports. As you said @@josh4trunks, it must just be using the version from FreeBSD base. 1
blaize9 3 Posted June 12, 2015 Author Posted June 12, 2015 (edited) Ok after going back and thinking about it, I forgot to check if bakabt.info supports SSLv3 which it does not (good due to POODLE attack) but this creates a problem where the request is unable to go through because it is looking for SSLv3 blah blah. To confirm this was the Issue I created another domain that supports TLS1.2, TLS1.1, TLS1.0, SSLv3 and it connected successfully. So would it be possible to force httpClient.Get or whatever that requests https pages to use TLS and fallback to SSLv3 if unsupported? @@Luke @@woodsb02 @@josh4trunks Edited June 12, 2015 by blaize9
josh4trunks 70 Posted June 12, 2015 Posted June 12, 2015 Unfortunately the FreeBSD mono port does not have the option to build with the version of OpenSSL (or LibreSSL) from ports. As you said @@josh4trunks, it must just be using the version from FreeBSD base.wouldn't the standard "WITH_OPENSSL_PORT=yes" work?that's what I've done with several other plugins that needed newer versions of openssl.
blaize9 3 Posted June 12, 2015 Author Posted June 12, 2015 (edited) wouldn't the standard "WITH_OPENSSL_PORT=yes" work? that's what I've done with several other plugins that needed newer versions of openssl. I believe that would fix it, but it would cause more issues for everyone in general because they need to set that in make.conf Then if they don't do that they will get a similar handshake error. then they would make a thread and it would be more work for everyone. https://bugs.freenas.org/issues/7693 Update: Using OpenSSL 1.0.2c 12 Jun 2015 in emby freenas jail I could only retrieve the page when it was not hidden behind CloudFlare for HTTPS requests. Found the same issue when tested inside emby. Similar Does not support WindowsXP/IE6 (SNI Required) ONLY Supports TLS 1.0|1.1|1.2 Direct StartCom Certification Authority KEY - RSA 4096 bits Supported more Cipher Suites (http://pastebin.com/raw.php?i=yv1mjr07) VS (http://pastebin.com/raw.php?i=pw3h6RtY) OCSP stapling NO CF COMODO ECC Certification KEY - EC 256 bits Session resumption (caching) NO Session resumption (tickets) YES NPN also supports spdy/3.1 Edited June 13, 2015 by blaize9
josh4trunks 70 Posted June 13, 2015 Posted June 13, 2015 I believe that would fix it, but it would cause more issues for everyone in general because they need to set that in make.conf Then if they don't do that they will get a similar handshake error. then they would make a thread and it would be more work for everyone. https://bugs.freenas.org/issues/7693 Update: Using OpenSSL 1.0.2c 12 Jun 2015 in emby freenas jail I could only retrieve the page when it was not hidden behind CloudFlare for HTTPS requests. Found the same issue when tested inside emby. Similar Does not support WindowsXP/IE6 (SNI Required) ONLY Supports TLS 1.0|1.1|1.2 Direct StartCom Certification Authority KEY - RSA 4096 bits Supported more Cipher Suites (http://pastebin.com/raw.php?i=yv1mjr07) VS (http://pastebin.com/raw.php?i=pw3h6RtY) OCSP stapling NO CF COMODO ECC Certification KEY - EC 256 bits Session resumption (caching) NO Session resumption (tickets) YES NPN also supports spdy/3.1 for the other plugins that setting only needs to be set during compile time, not on plugin user's systems. next emby update I can post a test build and you guys can verify if it fixed it. 1
blaize9 3 Posted June 13, 2015 Author Posted June 13, 2015 for the other plugins that setting only needs to be set during compile time, not on plugin user's systems. next emby update I can post a test build and you guys can verify if it fixed it. Could you send me a notification/mention when you get that build done. Thanks!
josh4trunks 70 Posted June 14, 2015 Posted June 14, 2015 Could you send me a notification/mention when you get that build done. Thanks! Will do. I'll build it as soon as a new emby version is out.
josh4trunks 70 Posted June 16, 2015 Posted June 16, 2015 (edited) @@blaize9 can you test out this PBI and tell me if you can reproduce the issue? Thanks https://www.jruehlig.com/owncloud/index.php/s/E4D6edZoy4jBNMI Edited June 16, 2015 by josh4trunks
blaize9 3 Posted June 16, 2015 Author Posted June 16, 2015 @@blaize9 can you test out this PBI and tell me if you can reproduce the issue? Thanks https://www.jruehlig.com/owncloud/index.php/s/E4D6edZoy4jBNMI Looks like I still have the same issue. Error: SendFailure (Error writing headers) System.Net.WebException at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 at System.Threading.Tasks.TaskFactory`1[System.Net.WebResponse].InnerInvoke (System.Threading.Tasks.TaskCompletionSource`1 tcs, System.Func`2 endMethod, IAsyncResult l) [0x00000] in <filename unknown>:0 InnerException: System.Net.WebException Error writing headers InnerException: System.IO.IOException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 InnerException: Mono.Security.Protocol.Tls.TlsException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
josh4trunks 70 Posted June 16, 2015 Posted June 16, 2015 Looks like I still have the same issue. Error: SendFailure (Error writing headers) System.Net.WebException at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 at System.Threading.Tasks.TaskFactory`1[System.Net.WebResponse].InnerInvoke (System.Threading.Tasks.TaskCompletionSource`1 tcs, System.Func`2 endMethod, IAsyncResult l) [0x00000] in <filename unknown>:0 InnerException: System.Net.WebException Error writing headers InnerException: System.IO.IOException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 InnerException: Mono.Security.Protocol.Tls.TlsException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 Thanks for checking. I may try a fix that I needed for the Sonarr plugin. Basically mono needs a writable place for its certificate store. If this does fix it, @@woodsb02 we should integrate it into the FreeBSD port.
woodsb02 17 Posted June 16, 2015 Posted June 16, 2015 Agreed. What's your thoughts? Give the emby user a home directory so it can get the certificates? To confirm: did you try building mono with OpenSSL from ports? Did it work (do the build scripts appear to link against OpenSSL from ports)?
blaize9 3 Posted June 17, 2015 Author Posted June 17, 2015 (edited) Agreed. What's your thoughts? Give the emby user a home directory so it can get the certificates? To confirm: did you try building mono with OpenSSL from ports? Did it work (do the build scripts appear to link against OpenSSL from ports)? Here is the installation process I used http://pastebin.com/0RfMwEJS I'm not sure if that will answer your question, or if that was even directed at me but that was my installation process of openssl. Edited June 17, 2015 by blaize9
josh4trunks 70 Posted June 17, 2015 Posted June 17, 2015 (edited) Agreed. What's your thoughts? Give the emby user a home directory so it can get the certificates? To confirm: did you try building mono with OpenSSL from ports? Did it work (do the build scripts appear to link against OpenSSL from ports)? Nope, I think all we need to do is the below in the start_precmd routie export XDG_CONFIG_HOME=${%%RC_NAME%%_data_dir} Yes, built it with openssl from ports. Edited June 17, 2015 by josh4trunks
josh4trunks 70 Posted June 17, 2015 Posted June 17, 2015 @@blaize9 Can you try the linked PBI again. I made a change and I want to see if it made a difference. Thanks https://www.jruehlig.com/owncloud/index.php/s/E4D6edZoy4jBNMI
Luke 38841 Posted July 13, 2018 Posted July 13, 2018 Please give this a try: https://emby.media/community/index.php?/topic/60728-new-freebsd-package-for-testing Thanks !
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now