shorty1483 450 Posted February 4, 2017 Share Posted February 4, 2017 (edited) If I'm right security stuff of Emby Server uses crypto-js which hasn't been updated for years.Currently when I navigate to the Server directly in my LAN using https, I get the following negotiated TLS settings in ClientHello:Firefox 51 -> TLS 1.2 RSA for Key Exchange with cipher AES_256_CBC for encryption and SHA1 as hash function.Chrome 57 -> TLS 1.2 RSA for Key Exchange with cipher AES_128_CBC for encryption and SHA1 as hash function.I request (if possible) to uplevel the server proposed cipher suites to a state of the art standard. The server side advertised encryption should use the following cipher suites in prioritized order. ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384DHE-RSA-AES128-GCM-SHA256DHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-AES128-SHA256ECDHE-RSA-AES128-SHA256ECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHA384ECDHE-RSA-AES128-SHAECDHE-ECDSA-AES256-SHA384ECDHE-ECDSA-AES256-SHAECDHE-RSA-AES256-SHADHE-RSA-AES128-SHA256DHE-RSA-AES128-SHADHE-RSA-AES256-SHA256DHE-RSA-AES256-SHA Long story short, including GCM ciphers for encryption, SHA2 and SHA3 series for hashing and preferation of ECDSA over RSA since it gives equal security with lot less overhead than RSA due to the shorter elliptic curve key . These key features are a real common setup nowadays for a modern server software like Emby, and if I see right, e.g. AES_256_GCM with SHA256 is already available in Emby Connect. With the suites above, actual clients are able to use modern security while older clients are still supported. It really shouldn't be mandatory to install a 3rd party software like apache or nginx to get proper security in todays web world.The holy grail for the future would be also the integration of ECDHE-ECDSA-CHACHA20-POLY1305/ECDHE-RSA-CHACHA20-POLY1305 with X25519 and prime256r1 or secp384r1 since it will be one of the center specs of upcoming TLS1.3. I tested it on my nginx test instance and it's really performant, specially on mobile devices. Edited February 6, 2017 by shorty1483 2 Link to comment Share on other sites More sharing options...
Jacob_B 1 Posted January 30, 2019 Share Posted January 30, 2019 Agreed TLS 1.3 for emby clients like android would be great to see. Link to comment Share on other sites More sharing options...
Luke 37046 Posted January 30, 2019 Share Posted January 30, 2019 TLS 1.3 will be available in March when .NET Core 3.0 is released: https://docs.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now