Plex Media Player (and maybe other apps) do not validate the SSL certificate

Server Version#: 1.14.1.5488 (not applicable)
Player Version#: 2.27.0.949 (Mac)

When a valid certificate was issued for the Plex Server and it is expired, Plex clients do still connect to the server, although Browsers reject the connection and display that the certificate has expired and the connection is insecure.

Are you talking about your own cert expiring? Because the plex.tv cert is still valid and all my browsers and clients are connecting securely. Browser reports an active certificate.

I believe Plex uses a CA issued wildcard certificate for communication between clients and your server that’s running on port 32400. Whatever cert you have on port 443 for your server that’s hosting PMS doesn’t come into the equation. Don’t worry about it, its one of the advantages of using Plex (as opposed to jumping through hoops to install your own cert in Emby)

That’s correct. The Plex.tv cert is still valid. However I don’t think Plex sends the media via their servers, so there is a direct connection between my Plex Server and the client. The question is, whether the Plex client retrieves the certificate serial number via Plex.tv services. Can anybody confirm that?

And even if that’s the case, I think that a client that is configured as never fallback to insecure connections should not connect to expired certificates, even if it has been verified in terms of the serial number.

But why would a client fallback to an insecure connection if the cert is valid? The certificate is not expired!

I can tell you that the Plex cert is not a wildcard cert.
It is “pinned” to the FQDN of your server on the .plex.direct subdomain.

See https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/ (and the links therein) for an in-depth explanation.

Hi,
that’s correct but via the Plex subdomain only metadata is exchanged. The actual movie files are sent directly from the Plex server to the client, NOT via .plex.direct.

The question is, whether the Plex App checks the real server certificate’s serial number etc., that is used when streaming.

Untrue. If the plex app says the connection to the server is ‘secure’, it means that the FQDN of your server is used – for all data traffic.
Otherwise no encrypted communication would be possible.

Yes. What I think is that the Client connects like this:

1. Client contacts Plex.tv and requests the FQDN/IP of Plex Server and the certificate serial number/hash
2. Client establishes a direct HTTPS connection to the FQDN/IP, validating the certificate against the serial number. That’s the reason why expired certificates work, because the certificate is only checked against the serial number (which is sufficient in this case).

For this to work, the Plex Server sends it’s certificate serial number to Plex.tv so the client can validate it correctly.

Can anybody confirm this?

There’s a good write up here:

https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

Thanks. Although that doesn’t 100% explain it, I know how it works now.

When you use your own certificate for Plex and it is valid, Plex will automatically connect to your server via your FQDN.
When you don’t use a certificate for Plex, Plex will create a *.plex.direct certificate for you and clients connect to *.plex.direct.
When you use your own certificate for Plex and it is INVALID (expired), Plex will automatically fall back to the *.plex.direct FQDN.

Cheers @OttoKerner, that’s interesting. Sorry, I didn’t fully understand how pinning worked before reading up on it just now. I saw the asterisk at the beginning of the .plex.direct cn in the certificate and assumed it was a regular wildcard cert.

I got word from a developer:

• Many Plex clients are built on web browser engines
• It is these Browser engines which handle the certificate validation. In the case of PMP it is Chromium which does it.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.