TLS 1.3

[Shidapu 14]

Heya guys. I tried to use TLS 1.3 yesterday, and it worked great on all platforms except on my Nvidia Shield using Android TV. Is it because of the Emby Application on Android TV?

[neik 873]

Same problem over here with the FireTV Stick, TLS 1.3 doesn't seem to be supported by the App yet.

 

Let's see what ebr says.

[Luke 42078]

Emby Server runs on .NET Core 2.2, which does not yet support TLS 1.3. Support for this has been added to the upcoming .NET Core 3.0 release:

 

https://docs.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0

 

When this release goes stable later this year, then we will be able to support TLS 1.3.

 

In the meantime, if you have SSL handled by a reverse proxy, then it may work there provided that both your proxy and the client device support TLS 1.3.

 

Please let us know if this helps. Thanks.

[neik 873]

Hi Luke,

 

I am using nginx as reverse proxy and iirc the last time I tried it it was the show stopper on my FTVS.

 

It could either be a OS limitation or something with the ATV App.

 

@@ebr, is TLS1.3 implemented in the ATV app?

[Luke 42078]

There's nothing for the app to implement. It's handled by the platform. We'll have to see if fire tv devices support it.

[KMBanana 116]

TLS1.3 is being listed as a feature of Android Q, I'm assuming it is OS dependent, not application specific.  Can't find anything specific about 1.3 for Amazon's fire series of devices but I'd guess it's not supported yet.  

[Luke 42078]

 

 

I'm assuming it is OS dependent, not application specific. 

 

Yes, exactly right.

[neik 873]

TLS1.3 is being listed as a feature of Android Q, I'm assuming it is OS dependent, not application specific. Can't find anything specific about 1.3 for Amazon's fire series of devices but I'd guess it's not supported yet.

Yes, apparently it is an Android issue that will be implemented in Android Q, as you said.

 

Source: https://www.xda-developers.com/android-q-tls-1-3-support/

[pir8radio 1312]

when you do a test at:  https://www.ssllabs.com/ssltest/index.html     what Cipher Suites do you have available?    Are you trying to force 1.3 or do you still have 1.2 available for fallback?

 

Cipher Suites

# TLS 1.3 (server has no preference)

TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS 128

TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS 256

TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)   FS 256^P

Edited May 11, 2019 by pir8radio

[ebr 16179]

The Fire platform hasn't even made it to Android O yet...

[neik 873]

@@pir8radio, I am not able to use SSLabs as I am not using the standard https port but a "custom" one and they don't seem to support it.

 

@@ebr, I'm afraid we can give up on the Fire devices for TLS1.3 until new devices are released. TLS1.2 is the best we will get there, I guess.

[Tony B. 38]

A lot of users are going to have issues with 1.3 just because Windows 7 is probably not going to get it. That means that Server 2008 R2 won't either. I wouldn't expect it to become "mainstream" for another 5 years. 

 

PLUS! It's a new protocol. There is nothing to say that 1.3 is "safe" yet. It could be like SSL2 and 3; Which were a disaster.

 

Only time will tell with enough hackers on the loose to really give it a shot of hacking it to bits. 

[Shidapu 14]

 

A lot of users are going to have issues with 1.3 just because Windows 7 is probably not going to get it. That means that Server 2008 R2 won't either. I wouldn't expect it to become "mainstream" for another 5 years. 

 

PLUS! It's a new protocol. There is nothing to say that 1.3 is "safe" yet. It could be like SSL2 and 3; Which were a disaster.

 

Only time will tell with enough hackers on the loose to really give it a shot of hacking it to bits. 

 

 

Everything can be hacked.. That doesn't mean we shouldn't adopt to new security standards. TLS 1.2 has been out longer than 1.3, The banking sector still uses 1.2.

 

But to minimize the hacking risk, latest standard should always be used.

[Sanderluc 11]

This is still a issue, because if I enable TLS 1.3 within cloudflare some devices won't connect anymore, like:

 

- Emby for Windows (App)

- Android TV

 

But "Android Mobiles and IOS & Webbrowsers" are working just fine.

[Luke 42078]

On 3/22/2023 at 6:53 PM, Sanderluc said:

This is still a issue, because if I enable TLS 1.3 within cloudflare some devices won't connect anymore, like:

 

- Emby for Windows (App)

- Android TV

 

But "Android Mobiles and IOS & Webbrowsers" are working just fine.

@Sanderlucwhat versions of those two apps do you have?

[Sanderluc 11]

On 29/03/2023 at 22:27, Luke said:

@Sanderlucwhat versions of those two apps do you have?

I have identified the problem: devices older than Android 10 do not support TLS 1.3. For example, I encountered this issue while using a MI Box running on Android 9.

Additionally, there is a concern with Windows 10 as, by default, store-applications do not have TLS 1.3 enabled. However, this can be manually configured.

For more information, please refer to the following resource: https://www.asustor.com/en-gb/knowledge/detail/?id=&group_id=1011

Edited March 30, 2023 by Sanderluc