Change the cipher suite used for HTTPS connections?

jdye06 · April 7, 2016, 11:19pm

It seems that with the new HTTPS support in Plex, it is using Diffie-Hellman (DHE for Ephemeral Diffie-Hellman) protocol for session key exchange (please, please correct me if I am wrong). Is there any possible way to change the cipher suite to one of the below?

The reason I ask is I am attempting to do SSL Inbound decryption on my firewall (Palo Alto Networks) to take a peek inside the SSL tunnel to identify the traffic that is inside the SSL/TLS tunnel. (Better layer 7 control on FW as well as scanning for possible malware, etc)

RSA-AES256-CBC-SHA Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
RSA-AES128-CBC-SHA Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
RSA-3DES-EDE-CBC-SHA Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
RSA-RC4-128-MD5 Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
RSA-RC4-128-SHA Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

More info on my issue: https://live.paloaltonetworks.com/t5/Management-Articles/Sessions-Matching-Inbound-Inspection-Decryption-Rule-Fail-to-be/ta-p/54662

ChuckPa · April 7, 2016, 11:49pm

Are you asking Plex to change so you CAN do deeper packet inspection by decryption?

jdye06 · April 8, 2016, 1:59pm

Yes. I want to do deeper packet inspection. But I wouldn’t say that I am asking Plex to change it, but rather just asking if
A. It is a current possibility to change what cipher suite it uses
or
B. Is it possible to have the capability to select cipher suite in the future.

ChuckPa · April 8, 2016, 2:06pm

Thank you for clarifying.

It is not possible for a user to change the suite because the other end of the connection is the Plex Cloud and the rules for connecting to it are VERY strict. Without the source code and keys to the Plex kingdom, you can’t do it.

For a long time, users were complaining Plex wasn’t secure enough so it was made more secure. You’re asking how to make it less secure so you can dig into the packets for whatever reason(s) you might have.

If you are on a corporate or other type LAN and the use of Plex is a problem for you, I respectfully suggest you simply block it as that is the only real way of knowing what is and isn’t happening.

jdye06 · April 8, 2016, 9:04pm

The other end of the communication should be directly to the client, and as I am using my own certificate on the server, I own the key for it so I can decrypt that session if need be. (That is, if the local Plex Server was not negotiating a DH cipher suite)

My understanding is that plex cloud is just a connection broker and should be redirecting clients connecting to the link that I have provided on my custom certificate.

ChuckPa · April 8, 2016, 9:42pm

If you install your certs in your proxy, you will have the best which can be had. Anything else on Plex’s part exposes all other Plex users to security issues. What you do inside your proxy is for you to decide.

Topic		Replies	Views
OpenVAS Scan -> SSL/TLS: Report Vulnerable Cipher Suites for HTTPS General Discussions	8	2091	January 8, 2020
SSL/TLS Content Inspection with Remote Access Remote Access server-qnap , networking	36	1351	August 27, 2019
HTTPS option for plex server Feature Suggestions	5	71	June 10, 2021
Request support for enhanced SSL controls Feature Suggestions	9	106	August 25, 2015
Suggestion: Enable Cloudflare ECH for Enhanced Security Feature Suggestions	1	24	January 1, 2025

Change the cipher suite used for HTTPS connections?

Related topics