Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

playSound/playSound3D TLSv1.2 on internet streams #3012

Open
1 task done
ricksterhd123 opened this issue May 19, 2023 · 5 comments
Open
1 task done

playSound/playSound3D TLSv1.2 on internet streams #3012

ricksterhd123 opened this issue May 19, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@ricksterhd123
Copy link
Contributor

Is your feature request related to a problem? Please describe.

I have a free (and open source) cloud based YouTube to mp3 downloader service with files hosted by public AWS S3 bucket.

Only MTA:SA user agents are affected, I believe it's stemming from playSound/playSound3D and therefore the bass audio library (please correct me if I'm wrong). One of the servers, which I am affiliated with is owned by @Dutchman101 (I believe he has some knowledge about the bass audio library too)

I recently received an email from AWS as follows (I've redacted any PII):

Hello,

We are reaching out because there are TLS 1.0 or TLS 1.1 connections to Amazon Simple Storage Service (Amazon S3) objects hosted in your account. As AWS is updating the TLS configuration for all AWS API endpoints to a minimum of version TLS 1.2 [1], you must take action as soon as possible for these connections to maintain their access to your S3 objects.

...

Please see the following for S3 buckets in which object-level calls were made over TLS 1.0 or TLS 1.1 connections between April 24, 2023 and May 05, 2023 (the UserAgent may be truncated due to a limit in the number of characters that can be displayed):

Connections details will be in the following format:

Region | Bucket name(s) | APIAction | TLSVersion | NumCalls | UserAgent
us-east-1 | ########################  | REST.GET.OBJECT | TLSv1 | ### | [MTA:SA Server ###.###.###.###:23114 - See [http://mtasa.com/agent/]](http://mtasa.com/agent/%5d)
us-east-1 | ########################  | REST.GET.OBJECT | TLSv1 | ### | [MTA:SA Server ###.###.###.###:22005 - See [http://mtasa.com/agent/]](http://mtasa.com/agent/%5d)

Describe the solution you'd like

As a best practice, we should enforce TLS 1.2 or higher if possible from playSound/playSound3D on internet streams.

Describe alternatives you've considered

For me personally, AWS have suggested I use (cloudfront as) a proxy. This could work for others too with services with similar problems.

Additional context

I know this is only a problem for myself but I wanted to bring it to your attention. Later down the line, it could become a problem for users that want to use similar services and it might also be related to fetchRemote et al (although I highly doubt it). I do not expect this to get fixed in any time soon, however, If can find a fix myself I will send a PR.

As far as I am aware this poses no security risks, users are simply streaming mp3 music.

Security Policy

  • I have read and understood the Security Policy and this issue is not about a cheat or security vulnerability.
@ricksterhd123 ricksterhd123 added the enhancement New feature or request label May 19, 2023
@ricksterhd123
Copy link
Contributor Author

ricksterhd123 commented May 19, 2023
edited
Loading

After some reading into this, here's what I found: https://www.un4seen.com/doc/#bass/BASS_CONFIG_LIBSSL.html

By default, BASS will try to use the system's OpenSSL library to handle HTTPS connections.

Could this mean that only some clients are still using TLSv1?

Edit: I see that this line responsible for setting the user agent:

mtasa-blue/Client/mods/deathmatch/logic/CClientSoundManager.cpp

Line 48 in eba619d

BASS_SetConfigPtr(BASS_CONFIG_NET_AGENT, (void*)*m_strUserAgent);

@AlexTMjugador
Copy link
Member

Windows 7 does not negotiate TLS 1.1 or 1.2 by default when using WinHTTP, so if the affected players are running Windows 7, that could be the reason. Microsoft has published a support article with details on how to enable TLS 1.2 support.

If that is the reason, BASS in theory could work around this issue by forcing the set of protocols to negotiate, but not relying on OS defaults in this kind of things might cause trouble in certain network configurations (for example, if the player has to use a proxy with outdated server software to access the Internet).

@ricksterhd123
Copy link
Contributor Author

ricksterhd123 commented May 19, 2023 via email

@Dutchman101
Copy link
Member

I will send an email to the BASS developer (Ian from Un4seen studios) to ask for his thoughts on this, it can be useful as they are known to optimize compatibility with as many user systems/scenario's as they are able to in their libraries. Wouldn't surprise me if he'll end up adding a specific TLS negotiation mechanism for old OS users.

@ricksterhd123
Copy link
Contributor Author

ricksterhd123 commented May 19, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ricksterhd123 @AlexTMjugador @Dutchman101