openSSL out of date

October 15, 2022

doing security checks im getting this.

Your server is using a outdated version of OpenSSL vulnerable to denial of service attack. Urgently update OpenSSL to version 1.1.1k or newer.

https://www.immuniweb.com/ssl/

when will this be updated?

October 15, 2022

Bandit,
Ssl is a registration on your domain and it is under your control. Updating is up to you. Emby can run with a domain when your individual SSL setup is correct. I don't think there is anything in Emby to update. It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain.

Edited October 16, 2022 by visproduction

October 15, 2022

18 minutes ago, bandit8623 said:

doing security checks im getting this.

Your server is using a outdated version of OpenSSL vulnerable to denial of service attack. Urgently update OpenSSL to version 1.1.1k or newer.

https://www.immuniweb.com/ssl/

when will this be updated?

Sorry I don't follow, what does this have to do with Emby?

October 15, 2022

Presumably Emby's https (ssl) option uses OpenSSL.

Paul

October 15, 2022

17 minutes ago, visproduction said:

Bandit,
Ssl is a registration on your domain and it is under your control. Updating is up to you. Emby can run with a domain when your individual SSL setup is correct. I don't there is anything in Emby to update. It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain.

Er, no. You're talking about certificates - he's talking about the code in the server which checks and uses the certificates - handling the ssl which https is based on.

Paul

October 16, 2022

1 hour ago, Happy2Play said:

Sorry I don't follow, what does this have to do with Emby?

emby uses openssl. the version is baked into the server. we or i have no control.

October 16, 2022

Hi, what version of emby server do you have?

October 16, 2022

Still confused here as I get this on both 4.7.8.0 and 4.8.0.12 servers testing on that site.

image.png.b26f9184925614130b990bb62cc69b0d.png

Wouldn't this be a system, not a Emby issue? As the openssl files in system folder appear to be .NET signed by Microsoft.

someone else's SSL test on test site as the site is not testing Emby any way that I know of.

image.png.894da7d26639736680e8fc1a33a3d3f4.png

Edited October 16, 2022 by Happy2Play

October 16, 2022

21 hours ago, Luke said:

Hi, what version of emby server do you have?

latest beta 4.8.0.12

Edited October 16, 2022 by bandit8623
added ver

October 16, 2022

are you accessing Emby directly or through a reverse proxy

Edited October 16, 2022 by TeamB

October 16, 2022

20 hours ago, TeamB said:

are you accessing Emby directly or through a reverse proxy

talking to me? im just running the test from that link directly to my server.

direct no proxy

Edited October 16, 2022 by bandit8623

October 16, 2022

3 hours ago, bandit8623 said:

talking to me? im just running the test from that link directly to my server.

But the test is against SSL not Emby from my understanding. Just like the score you get is against your System settings. But it passes on all my Windows systems.

6 hours ago, bandit8623 said:

8 hours ago, Luke said:

Hi, what version of emby server do you have?

latest beta

What platform?

October 16, 2022

9 hours ago, Happy2Play said:

But the test is against SSL not Emby from my understanding. Just like the score you get is against your System settings. But it passes on all my Windows systems.

What platform?

Windows. So if you are not having the issue then it has to be how I created my cert then.

October 16, 2022

2 minutes ago, bandit8623 said:

Windows. So if you are not having the issue then it has to be how I created my cert then.

I am no expert on this but could be. I have WHS2011/Server 2016 GoDaddy custom cert that comes with the servers.

As for Emby it is on a Windows 10 machine with a copy of the servers SSL. So https goes to server while https Emby port goes to Windows 10.

I would assume if your cert was on any machine or shutdown or uninstalled Emby you would get this vulnerability.

October 16, 2022

2 hours ago, Happy2Play said:

I am no expert on this but could be. I have WHS2011/Server 2016 GoDaddy custom cert that comes with the servers.

As for Emby it is on a Windows 10 machine with a copy of the servers SSL. So https goes to server while https Emby port goes to Windows 10.

I would assume if your cert was on any machine or shutdown or uninstalled Emby you would get this vulnerability.

i redid my cert with updated openssl 1.1.1.1q . and i still get the vulnerabiltyy problem. when doing your test are you adding the port to your emby server? example my ip address 1.1.1.1:8920

Edited October 16, 2022 by bandit8623
added pic

October 16, 2022

Just now, bandit8623 said:

i redid my cert with updated openssl 1.1.1.1q . and i still get the vulnerabiltyy problem. when doing your test are you adding the port to your emby server? example my ip address 1.1.1.1:8920

I did both and get slightly different results on each, but both do not show the vulnerability.

Summary of xxxxxxxxxxxxxxx.homeserver.com:443 (HTTPS) SSL Security Test (WHS2011 server that controls the certificate)

Summary of xxxxxxxxxxxxxxx.homeserver.com:8920 (N/A) SSL Security Test (Windows 10 with SSL cert in Emby)

October 16, 2022

17 hours ago, bandit8623 said:

20 hours ago, TeamB said:

are you accessing Emby directly or through a reverse proxy

talking to me? im just running the test from that link directly to my server.

@bandit8623 He is talking to you. He is asking if DNS is pointed directly to the server or to a reverse proxy where the proxy forwards traffic to your Emby server.

October 16, 2022

2 minutes ago, justinrh said:

@bandit8623 He is talking to you. He is asking if DNS is pointed directly to the server or to a reverse proxy where the proxy forwards traffic to your Emby server.

directly to server.

October 16, 2022

On 10/15/2022 at 5:29 PM, visproduction said:

Bandit,
Ssl is a registration on your domain and it is under your control. Updating is up to you. Emby can run with a domain when your individual SSL setup is correct. I don't think there is anything in Emby to update. It either goes to an IP address if you have no SSL or it goes to your domain name when you setup SSL on your domain.

i have my ssl cert fully setup. i used openssl 1.1.1.1q to combine the pem files. i am able to connect remotely just fine. just getting that vulnerability error check

October 17, 2022

2 hours ago, bandit8623 said:

i redid my cert with updated openssl 1.1.1.1q . and i still get the vulnerabiltyy problem. when doing your test are you adding the port to your emby server? example my ip address 1.1.1.1:8920

If you're getting an F then you have more problems than a single mid-range score vulnerability. I suspect you're focusing on the wrong things from the report.

October 17, 2022

14 minutes ago, Q-Droid said:

If you're getting an F then you have more problems than a single mid-range score vulnerability. I suspect you're focusing on the wrong things from the report.

No. i got an F because of this issue.

image.png.43c5b0dff5a6c4eb741b648c37f39163.png

this is the only other attention item.

image.png.f136d130795b87375f5efe49351ba292.png

Edited October 17, 2022 by bandit8623

October 17, 2022

I would think everyone's system would get this if it were a Emby issue. But don't really have any idea what it could be though as I can't replicate on 4 different Windows versions on stable or beta servers.

October 17, 2022

I think the real issue is this - TLS_RSA_WITH_3DES_EDE_CBC_SHA

That is a cipher that should definitely not be allowed. Your error might be a false report on what is really a bad cipher being allowed during negotiation. The stable version of Emby does not seem to include 3DES in the cipher suite.

Edit: I should add that I'm on Linux, not Windows, running stable and tested using Caddy with an EC cert and direct to Emby with an RSA cert. Neither allowed 3DES in the negotiation.

Edited October 17, 2022 by Q-Droid

October 17, 2022

@Q-Droid I can say mine shows multiple weak ciphers but don't get an F as I don't get this OpenSSL issue. Where I get a C I will assume primarily for enable TLS 1.0 per there list.

But will assume OP would get the same with Emby shutdown or ever uninstalled. As 8920 is just port forwarding to the Host machine. So the question becomes what on this system is causing it?

@bandit8623 What version of Windows?

October 17, 2022

7 minutes ago, Happy2Play said:

@Q-Droid I can say mine shows multiple weak ciphers but don't get an F as I don't get this OpenSSL issue. Where I get a C I will assume primarily for enable TLS 1.0 per there list.

But will assume OP would get the same with Emby shutdown or ever uninstalled. As 8920 is just port forwarding to the Host machine. So the question becomes what on this system is causing it?

@bandit8623 What version of Windows?

Yes but 3DES is a broken and deprecated cipher and not quite the same as merely weak ones. I don't know why the Emby server would allow that downgrade unless there's a proxy (already said no) or something is seriously out of date or a regression. But you don't see it so that should rule out regression.

Sign In

openSSL out of date

Recommended Posts

bandit8623 213

visproduction 315

Happy2Play 9780

pwhodges 2012

pwhodges 2012

bandit8623 213

Luke 42077

Happy2Play 9780

bandit8623 213

TeamB 2438

bandit8623 213

Happy2Play 9780

bandit8623 213

Happy2Play 9780

bandit8623 213

Happy2Play 9780

justinrh 260

bandit8623 213

bandit8623 213

Q-Droid 989

bandit8623 213

Happy2Play 9780

Q-Droid 989

Happy2Play 9780

Q-Droid 989

Create an account or sign in to comment

Create an account

Sign in

Activity