As of today RC4-MD5 has stopped working for all my news servers

Get help, report and discuss bugs.
hugbug
Developer & Admin
Posts: 7645
Joined: 09 Sep 2008, 11:58
Location: Germany

Re: As of today RC4-MD5 has stopped working for all my news servers

Post by hugbug » 28 Feb 2019, 15:37

Previous versions of linuxserver container were installing nzbget installer (from nzbget home page) inside docker container. So basically you were having official nzbget inside docker. Recently they have changed their container and now they build (compile) nzbget inside container. This has wide-reaching consequenses.

sanderj
Posts: 184
Joined: 10 Feb 2014, 21:46

Re: As of today RC4-MD5 has stopped working for all my news servers

Post by sanderj » 28 Feb 2019, 18:57

From the Dockerfile (https://github.com/linuxserver/docker-n ... Dockerfile):

Code: Select all

git clone https://github.com/nzbget/nzbget.git 
Wow, they use the git version? So not a release nor a beta/test, but anything that was committed/pushed.

Wow ... :roll:

sanderj
Posts: 184
Joined: 10 Feb 2014, 21:46

Re: As of today RC4-MD5 has stopped working for all my news servers

Post by sanderj » 28 Feb 2019, 19:19

FWIW:

RC4, MD5 are on the same list as TLS1 and TLS1.1 ... the DO NOT USE list.

  • Wikipedia: "multiple vulnerabilities have been discovered in RC4".
  • PCI SSC / PCI DSS: "Additionally, use of weak cipher suites or unapproved algorithms – e.g., RC4, MD5, and others – is not allowed."
  • CVE: "The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext."
So maybe stop using it if you want a secure connection.

snolly
Posts: 8
Joined: 07 Jun 2016, 08:04

Re: As of today RC4-MD5 has stopped working for all my news servers

Post by snolly » 28 Feb 2019, 19:22

I know that it is not that secure but come on for hiding usenet traffic from the isp is more than enough. And it's fast as well.

What is the fastest secure cipher that I could use?

hugbug
Developer & Admin
Posts: 7645
Joined: 09 Sep 2008, 11:58
Location: Germany

Re: As of today RC4-MD5 has stopped working for all my news servers

Post by hugbug » 28 Feb 2019, 19:32

snolly wrote:
28 Feb 2019, 19:22
Wow, they use the git version? So not a release nor a beta/test, but anything that was committed/pushed.
There is a checkout command later to switch to certain version, the latest stable by default.

Nonetheless code repository isn't meant for distribution, they should download source tarballs from releases area.
snolly wrote:
28 Feb 2019, 19:22
What is the fastest secure cipher that I could use?
Do you have performance issues with default (empty) cipher?

bradyrtech
Posts: 1
Joined: 01 Mar 2019, 01:42

Re: As of today RC4-MD5 has stopped working for all my news servers

Post by bradyrtech » 01 Mar 2019, 01:47

I also ran into this issue with the RC4-MD5 cipher. Running NZBGet in a docker container.

tl;dr -- i changed the cipher to AES256-SHA in NZBGet and it works like a charm. fwiw, this is with easynews and usenetbucket news servers.

I didn't notice any negatives switching from RC4-MD5 to AES256-SHA...

thanks and hope it helps anyone out there.

-ryan

Post Reply

Who is online

Users browsing this forum: No registered users and 51 guests