jellyfin / jellyfin-mpv-shim

MPV Cast Client for Jellyfin
Other
1.63k stars 93 forks source link

TLS 1.3 not working #288

Open thescratcho opened 2 years ago

thescratcho commented 2 years ago

Hello, i'm using Jellyfin behind Haproxy

I like to enforce strong secruity and only use TLS 1.3

I noticed that MPV shim cant connect to the server when using TLS 1.3 TLS 1.2 works fine

could you please fix that problem so it works with TLS1.3

Here is the TLS 1.3 config that is being used in Haproxy:

`# modern configuration ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets`

TLS 1.2 configuration which works:

`# intermediate configuration ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl-dh-param-file /path/to/dhparam

frontend ft_test mode http bind :443 ssl crt /path/to/<cert+privkey+intermediate> alpn h2,http/1.1 bind :80 redirect scheme https code 301 if !{ ssl_fc }

# HSTS (63072000 seconds)
http-response set-header Strict-Transport-Security max-age=63072000`
thescratcho commented 2 years ago

sorry for the formating, for the tls config look here:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.6

iwalton3 commented 1 year ago

See also: https://github.com/jellyfin/jellyfin-media-player/issues/375