FIPS Validated Cryptography Fix

[Guardian Hope 117]

After a very long period where I could not use Emby Server on Windows 10 Pro because the server was not registering with the http server as authorized with the OS (see http://emby.media/community/index.php?/topic/29931-emby-refusing-connections/ for all about that) I decided to give Emby Server on Windows another try primarily because the server needed direct access to my GPU which VMWare Workstation doesn't provide (although vSphere does) so I can stream out H.265 content to an rPi3 running OSMC. Works wonderfully by the way but I did encounter an issue with Emby Server which can easily be rectified.

 

Emby Server, once I reinstalled the latest development build, threw an unhandled exception error so I browsed over to Emby Server's logs and saw that this is the fourth program I encountered which doesn't comply with FIPS validated cryptography and that's a problem in Windows 10 - especially if you have Trusted Platform computing enabled because you need it for one reason or another.

 

However, the fix is easy:

 

In MediaBrowser.ServerApplication.exe.config the following line needs to be added before the closing of the <runtime> tags:

<enforceFIPSPolicy enabled="false"/>

This disables the FIPS validation check for this program and allows it to run under Windows 10 on a system using a Trusted Platform Module enforcing FIPS cryptography. You may of course find the article on MSDN. On system not using a TPM, this change makes no difference to how the application is run.

 

For reference, here was the exception log file:

One or more errors occurred.
System.AggregateException
   at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at MediaBrowser.ServerApplication.MainStartup.RunApplication(ServerApplicationPaths appPaths, ILogManager logManager, Boolean runService, StartupOptions options)
   at MediaBrowser.ServerApplication.MainStartup.Main()
InnerException: System.Reflection.TargetInvocationException
Exception has been thrown by the target of an invocation.
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
   at System.Security.Cryptography.MD5.Create()
   at MediaBrowser.Common.Extensions.BaseExtensions.GetMD5(String str)
   at MediaBrowser.Server.Startup.Common.ApplicationHost.GetCertificatePath(Boolean generateCertificate)
   at MediaBrowser.Server.Startup.Common.ApplicationHost.StartServer()
   at MediaBrowser.Server.Startup.Common.ApplicationHost.FindParts()
   at MediaBrowser.Common.Implementations.BaseApplicationHost`1.<Init>d__4.MoveNext()
InnerException: System.InvalidOperationException
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()

Emby Server is now working but I would hate to have to re-add that line with every single update to Emby Server on Windows 10.

[Luke 37028]

Thanks for the info, although just fyi Emby Server does not require access to your GPU.

[Guardian Hope 117]

Thanks for the info, although just fyi Emby Server does not require access to your GPU.

 

You are quite correct, but it is easier when it comes to having to transcode HEVC content to something like a Raspberry Pi 3 which can't natively handle HEVC/H.265 1080p/60.

 

I have created the proposed changed on GitHub with all the required information in the proposed commit's comment: https://github.com/MediaBrowser/Emby/pull/1843