SSLV3_ALERT

[eraser8 46]

Hi guys,

 

I found that in error log. It currently doesn't affect my https access as it work great when accessing my server from internet. My setup is:

 

-Server version: 4.4.0.2 beta

- I'm runnig a certificate created by letsEncrypt which I have from many years now without any problem

 

I also downgrade to version 4.3.0.30 and I can see the same error in the log.

 

 

Here is the log file. You can search for 

 

2019-12-13 14:38:53.965 Error HttpServer: Error in ProcessAccept

embyserver.txt

[Luke 37116]

Hi, yea I'm not really sure. It's possible the client device is trying to connect using sslv3. That is an older protocol and the server will reject all communication attempts with it.

[eraser8 46]

Hi Luke.... After furter investigation. I'm pretty sure it is related to the fact I'm accessing the server by https on my local network (if you rremember, You make me discover the fact that to be able to use the Playto function with my Chromecast from the web app, I needed to use the HTTPS)

 

Sooooooo It correspond to the time I start to see those error in my logs.

 

Quick explanation. My certificate is done throught LetsEncrypt using  emby.xxxx.xx as my domain from outside. In my local network, I always reach my emby server using the network name "Emby". But the fact is, my certificate is not validated with "Emby", but "emby.xxxx.xx"

 

So, since I use the "HTTPS://emby:8920"address to reach my server instead of using "HTTP://emby:8096", I have those error...... So, it doesn't stop me using my emby.

 

Thanks

[Luke 37116]

Thanks for the feedback.

[hispeed 8]

Hi folks,

@@hispeed

I have this error in the log but emby works so far fine. I can watch movies and everything on https. I use a wildcard certificate from Let's Encrypt. Then i create a .pfx, maybe there is an error?

openssl pkcs12 -export -out XX-x.Topleveldomain.pfx -inkey XX-x.Topleveldomain.key -in XX-x.Topleveldomain.cer -password pass:PASSWORD

2019-12-13 21:42:10.141 Error HttpServer: Error in ProcessAccept
    *** Error Report ***
    Version: 4.3.0.30
    Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-rpm_{version}_x86_64.rpm
    Operating system: Unix 3.10.0.957
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Runtime: file:///opt/emby-server/system/System.Private.CoreLib.dll
    Processor count: 2
    Program data path: /var/lib/emby
    Application directory: /opt/emby-server/system
    System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
     --- End of inner exception stack trace ---
     at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
     at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
     --- End of inner exception stack trace ---
     at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
     at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
     at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
     at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
     at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
     at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
    --- End of stack trace from previous location where exception was thrown ---
     at System.Net.Security.SslState.ThrowIfExceptional()
     at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
     at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
     at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
     at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__50_2(IAsyncResult iar)
     at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
    --- End of stack trace from previous location where exception was thrown ---
     at SocketHttpListener.Net.HttpConnection.Init()
     at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args)
    Source: System.Private.CoreLib
    TargetSite: Void Throw()
    InnerException: Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
    Source: System.Net.Security
    TargetSite: Boolean DoSslHandshake(Microsoft.Win32.SafeHandles.SafeSslHandle, Byte[], Int32, Int32, Byte[] ByRef, Int32 ByRef)
     at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
     at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
    InnerException: Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
    Source:
    TargetSite: 

[Q-Droid 654]

I think both of you are missing the intermediate (chain) cert in your PFX file. It looks like @@hispeed's command to create the PFX does not include the chain during import.

 

You can check your file to see what certs it contains:

openssl pkcs12 -info -in "full path to PFX file" -nokeys

 

You can test a connection to see what the server returns in the "Certificate chain" output:

openssl s_client -connect "host:port"

 

To include cert and intermediate (fullchain) in the PFX file:

openssl pkcs12 -export -in "full path to fullchain.pem" -inkey "full path to privkey.pem" -out "full path to pfx file"

or

openssl pkcs12 -export -in "full path to cert.pem" -inkey "full path to privkey.pem" -certfile "full path to chain.pem" -out "full path to pfx file"

 

[eraser8 46]

I think both of you are missing the intermediate (chain) cert in your PFX file. It looks like @@hispeed's command to create the PFX does not include the chain during import.

 

You can check your file to see what certs it contains:

openssl pkcs12 -info -in "full path to PFX file" -nokeys

 

You can test a connection to see what the server returns in the "Certificate chain" output:

openssl s_client -connect "host:port"

 

To include cert and intermediate (fullchain) in the PFX file:

openssl pkcs12 -export -in "full path to fullchain.pem" -inkey "full path to privkey.pem" -out "full path to pfx file"

or

openssl pkcs12 -export -in "full path to cert.pem" -inkey "full path to privkey.pem" -certfile "full path to chain.pem" -out "full path to pfx file"

 

Thanks for the info. How do we recognize the "Intermediate" part with your first command?

 

Edit: I use this command to generate the pfx file:      openssl pkcs12 -export -in "full path to fullchain.pem" -inkey "full path to privkey.pem" -out "full path to pfx file"

Edited December 14, 2019 by eraser8

[Q-Droid 654]

The first command should return two certs, your site cert and the intermediate.

 

subject=/CN="your fqdn"                                                                <---- site (server) cert

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

blah blah

-----END CERTIFICATE-----

Bag Attributes: <No Attributes>

subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3  <---- intermediate cert

issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3

-----BEGIN CERTIFICATE-----

blah blah

-----END CERTIFICATE-----

 

[eraser8 46]

Great thanks.

 

I can confirm I have both section you describe above. So, I guess I'm good!

[Q-Droid 654]

Ok. What happens if you try to connect from the Emby server command line?

 

openssl s_client -connect "host:port"

[eraser8 46]

It connect very fast and wait for command.

 

 

 

openssl s_client -connect "emby:8920"

CONNECTED(00000004)

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

verify error:num=20:unable to get local issuer certificate

---

Certificate chain

 0 s:/CN=XXX.XXXXXX.XX

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

---

Server certificate

-----BEGIN CERTIFICATE-----

BLABLA

-----END CERTIFICATE-----

subject=/CN=XXXX.XXXXXX.XX

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

No client certificate CA names sent

Peer signing digest: SHA256

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 3219 bytes and written 433 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 157A3F7C7C98561F25ECBFED95D7C04013354E37DED2064E3E46D361FF978A67

    Session-ID-ctx:

    Master-Key: (SOME KEY)

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    (SOME DATA HERE)

    Start Time: 1576297019

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

[Q-Droid 654]

Ah, here you go: "Verify return code: 20 (unable to get local issuer certificate)"

 

Your system can't verify the validity of the certs. The server should have a ca-bundle so it can verify certs signed by "DST Root CA X3".  It's either outdated or it can't locate the file.

 

Edit: The reason it works on browsers and other clients is because they have their own trust stores with the needed root CA.

Edited December 14, 2019 by Q-Droid

[eraser8 46]

Ah, here you go: "Verify return code: 20 (unable to get local issuer certificate)"

 

Your system can't verify the validity of the certs. The server should have a ca-bundle so it can verify certs signed by "DST Root CA X3".  It's either outdated or it can't locate the file.

 

Edit: The reason it works on browsers and other clients is because they have their own trust stores with the needed root CA.

 

Sorry, I<m not a professionnal in certificate...... I'm not sure what I need to to here to fix that.

 

But what I can tell is, from the same machine, same browser, If I reach my server using the FQDN , it doesn't create those logs lines. But when I use only the local hostname, I got the error.....

 

 

BTW, thanks for your helps! it is appreciated

Edited December 14, 2019 by eraser8

[hispeed 8]

Hi,

 

Thank you for your replies. It looks like this error is gone. I have added the fullchain.cer into the .pfx certificate.

 

Emby forum is better than many other forums!

[Q-Droid 654]

Sorry, I<m not a professionnal in certificate...... I'm not sure what I need to to here to fix that.

 

But what I can tell is, from the same machine, same browser, If I reach my server using the FQDN , it doesn't create those logs lines. But when I use only the local hostname, I got the error.....

 

 

BTW, thanks for your helps! it is appreciated

 

It looks like Freebsd uses ca_root_nss for the trust store. You can use the pkg command to check, install and upgrade the CA roots on your system. You should consider doing this otherwise Emby might have trouble making outbound calls to HTTPS services. I don't know if Emby maintains its own root cert store though if it did then it shouldn't have thrown the SSLV3_ALERT on startup that's in your log.

 

FQDN for your Emby host matches the cert presented, it passes validation and no warning. Local hostname doesn't match the cert hence the warning/error.

[eraser8 46]

I forced an update of my cert using certbot command. 

Unfortunately, the same error appear only when I reach my server using the local hostname only. I cannot say if Emby always respond like that since I think I never use it locally with HTTPS before.

 

I don't have any problem to do any outbound call. Moreover, I don't have any problem using it locally, it<s just because emby generate an error in the log...

I'm not sure what emby would need to be able to handle this without error?? In fact, I'm not sure sure if emby would need to be updated to fix this or if I can setup something more in my jail (FREENAS) to avoid this error?

 

Thanks

[Q-Droid 654]

You don't need to change your certs, that's not where the problem is. Basically, when using HTTPS you have to access the Emby server with the name that matches the CN in the certificate or it will complain in both the browser and in the Emby logs. I can generate the same error by doing that and there is no workaround for this. It is the correct behavior.

 

I might have misinterpreted your log because it looked like the error was being thrown on startup. 

 

When you ran the OpenSSL test it could not validate the certs from the command line which lead me to think you may not have a root CA file or that OpenSSL couldn't find it. That's why I recommended looking into ca_root_nss.

 

If everything else is working then you don't have a problem.  This is expected behavior.

[eraser8 46]

You don't need to change your certs, that's not where the problem is. Basically, when using HTTPS you have to access the Emby server with the name that matches the CN in the certificate or it will complain in both the browser and in the Emby logs. I can generate the same error by doing that and there is no workaround for this. It is the correct behavior.

 

I might have misinterpreted your log because it looked like the error was being thrown on startup. 

 

When you ran the OpenSSL test it could not validate the certs from the command line which lead me to think you may not have a root CA file or that OpenSSL couldn't find it. That's why I recommended looking into ca_root_nss.

 

If everything else is working then you don't have a problem.  This is expected behavior.

 

 

Great! Thank you for the details So far so good! It just logging many unuseful error lines in the log... But all is working great 

 

Thanks