In case this is of interest to anyone else in the forum, I'm posting about some recent issues that I've come across in getting SSL access working with the ROKU player and my secure webserver.

I'm currently using HostGator to host video content during the channel development phase and for testing. I have a shared business server account there which comes with a free SSL server. Up until February, it was working fine in providing content when the Roku player presented its self-signed certificate (I'd had the Roku CA cert installed in the SSL server to enable client cert verification). By doing this, only genuine Roku players have access to content.

This stopped workin in March; it turns out that OpenSSL has a handshake renegotiation security issue that became known around the end of 2009 and for which a patch was available within the past few months which effectively kills SSL handshake renegotiation. This is an issue because setting up a secure webserver with per-directory client certificate verification requires SSL handshake renegotiation to accomplish this. My ISP (HostGator) had applied a patch in February (without notification) which killed my ability to check client certs since it was being accomplished on a per directory basis. The long term fix for this is to implement the latest version of OpenSSL that includes an advanced TLS implementation that performs secure handshake renegotiation between serverside and client-side.

The latest beta versions of Firefox supports this secure negotiation but I doubt that the CURL-based library that Roku uses does, and I have requested that secure negotiation be integrated within the firmware ASAP.

Greg