Your Digital Media Has Never Looked So Good

 
User avatar
jedashford
Topic Author
Posts: 88
Joined: Thu Feb 26, 2015 3:39 pm

Certs not accepted?

Wed Apr 15, 2015 7:06 pm

We have some of our HLS clips coming from an https server that Roku just doesnt like. See error below. It works on all platforms (multiple desktop browsers, Android web/native, iPhone/iPad, but I'm unable to get the roku to accept a connection to this server. I've tried all that I know how to do. Any hints from the community?

Video object config:
video.SetCertificatesFile("common:/certs/ca-bundle.crt")
video.AddHeader("X-Roku-Reserved-Dev-Id", "")
video.InitClientCertificates()
video.SetCertificatesDepth(3)

Error:

GetMessage: Download segment info
Unknown event: 31 msg: Download segment info
GetType: 21
typeName: roSystemLogEvent
GetInfo: Status: handshakefailed
LogType: http.error

TargetIp: 54.230.7.106
HttpCode: -1
Datetime: <Component: roDateTime>
OrigUrl: https://loadbalancer.vidangel.com/strea ... 1429116106
Url: https://loadbalancer.vidangel.com/strea ... 1429116106
Method: GET
 
User avatar
TheEndless
** Valued Community Member **
Posts: 9231
Joined: Mon Oct 04, 2004 10:15 am
Location: US
Contact:

Re: Certs not accepted?

Wed Apr 15, 2015 7:44 pm

Why are you setting the certificates depth? Was that just something you tried?

There's also no need to add the dev ID header (unless you're using it for something on your server) nor init the client certificates, but neither of those would cause the problem you're seeing. In firmware 6.1, they added a heartbleed fix that broke SSL connections to any server that doesn't support TLS 1.1, which could potentially be the issue here. Unfortunately, I'm not experienced enough with that side of things to know how to test if that's the case or not.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
 
User avatar
jedashford
Topic Author
Posts: 88
Joined: Thu Feb 26, 2015 3:39 pm

Re: Certs not accepted?

Wed Apr 15, 2015 8:49 pm

I appreciated the response. I've added those extras on the connection for testing. I believe they were required for some of our other https connections, but this video player with this specific server just dont want to play nice.
 
belltown
Posts: 1465
Joined: Thu Dec 09, 2010 1:43 pm
Contact:

Re: Certs not accepted?

Thu Apr 16, 2015 12:02 am

You could enable tcpdump on your Roku, run your test again, download the log file from your Roku to your PC, then examine the TLS handshaking sequence using Wireshark.

One possibility is that the Roku is only announcing support for TLS 1.0 when requesting videos with roVideoScreen, and the server is refusing to fulfill the connection if it requires that the client support TLS 1.2. I posted about a similar issue here: http://forums.roku.com/viewtopic.php?p=483874&sid=f9b2c289420f07dcda53ae75bd8c5b0a#p483912. In that case, I noticed that if a resource was requested using roUrlTransfer, then the Roku negotiated the use of TLS 1.2. However, if the same resource was requested using some of the built-in UI components (roPosterScreen, roSlideshow, etc.), then the Roku only negotiated use of TLS 1.0. Some CDNs seemed okay with that; others were not. I postulated that in certain cases the Roku was only supporting TLS 1.0, and asked for a response from a Roku person. No-one responded, however. It may be that your issue is related to the recent changes in the Roku TLS code.

In the meantime, try requesting the same video, except using "http" instead of "https".
https://github.com/belltown/
 
User avatar
jedashford
Topic Author
Posts: 88
Joined: Thu Feb 26, 2015 3:39 pm

Re: Certs not accepted?

Sun Apr 19, 2015 12:58 pm

Thanks for the help. I'll try the tcpdump and examine. By law we need to protect our streams, so http doesn't really work. It does work though with http instead of https.
 
User avatar
wpinkman
Posts: 36
Joined: Mon Sep 09, 2013 10:36 am
Location: Silicon Valley
Contact:

Re: Certs not accepted?

Mon Apr 20, 2015 3:06 pm

Thanks @belltown for referencing the earlier post. I patched my channel by doing a string replace of "https" with "http" for the CDN URLs (Instagram/Facebook CDN in my case), but I've been nervous ever since that this will stop working since it relies on the CDN allowing HTTP which could change over time and would totally break my channel.

I hope this issue will get addressed by someone at Roku.
--andy (channel: Rokagram)
 
belltown
Posts: 1465
Joined: Thu Dec 09, 2010 1:43 pm
Contact:

Re: Certs not accepted?

Tue Apr 21, 2015 1:41 am

I took a quick look at the difference between the TLS handshaking used by roVideoScreen and roUrlTransfer. It appears that, like the other built-in components: roPosterScreen, roSlideshow, roImageCanvas, etc., roVideoScreen also will only negotiate a TLS session using TLS 1.0, whereas an attempt to retrieve the same resource using roUrlTransfer will be negotiated to use TLS 1.2.

Here's a Wireshark capture taken when retrieving a video using roVideoScreen:

Image

And another capture retrieving the same video file using roUrlTransfer:

Image

I set up my own server to use "strong" TLS encryption, refusing connections from clients that only support TLS 1.0 and got the same "handshakefailed" error reported by jedashford in his initial post, even though I could download the video successfully using roUrlTransfer:

------ Running ------
00:56:15.266  Starting ..
00:56:15.577  playVideo. roSystemLogEvent [21]-LogType=http.error. Datetime: 00:56:15.575
00:56:15.578  >     Url:              https://videos.nsa.mil/Videos/video-5secs.mp4
00:56:15.580  >     Status:           handshakefailed
00:56:15.597  >     HttpCode:         -1
00:56:15.598  >     Method:           GET
00:56:15.600  >     TargetIp:         192.168.0.100
00:56:15.603  >     OrigUrl:          https://videos.nsa.mil/Videos/video-5secs.mp4
00:56:15.744  playVideo. roVideoScreenEvent [11]-isStatusMessage. Message: Unspecified or invalid track path/url.
00:56:15.748  playVideo. roVideoScreenEvent [9]-isRequestFailed. Message: Index: -5. MediaFormat: ???
00:56:15.778  playVideo. roVideoScreenEvent [1]-isScreenClosed
00:56:15.781  Finished


It seems to me that there's something messed up with the Roku's TLS code as it pertains to the built-in components.

It looks like some CDNs are requiring their clients to connect using TLS 1.2 possibly due to the various security vulnerabilities discovered in earlier SSL/TLS versions, but this is not supported by the Roku's built-in components.

It's been almost a month since I first reported this issue, and there's been not a single word from anyone at Roku even acknowledging that they're even aware of the problem. I'm surprised. Most companies take security issues seriously these days once they're notified of a potential problem in their security protocols.
https://github.com/belltown/
 
User avatar
wpinkman
Posts: 36
Joined: Mon Sep 09, 2013 10:36 am
Location: Silicon Valley
Contact:

Re: Certs not accepted?

Tue Apr 21, 2015 1:21 pm

That looks pretty authoritative to me. I hope there's a fix or a workaround forthcoming. I suspect over time there will be more and more problems as various services tighten up their security.
--andy (channel: Rokagram)
 
bosborne
Posts: 141
Joined: Wed Jun 06, 2012 10:42 am

Re: Certs not accepted?

Tue Feb 23, 2016 4:30 pm

Can we get someone from Roku to weigh in on this? I am experiencing this exact issue. This was a total PITA to debug because some things work (roUrlTransfers) and others do not (roPosterScreen).
 
User avatar
jedashford
Topic Author
Posts: 88
Joined: Thu Feb 26, 2015 3:39 pm

Re: Certs not accepted?

Thu Apr 14, 2016 10:42 am

This is a security bug for us since we need to use http for our Roku customers. Would love some more info on a work around.
 
bosborne
Posts: 141
Joined: Wed Jun 06, 2012 10:42 am

Re: Certs not accepted?

Sat May 21, 2016 1:46 pm

Bump, hoping to get someone from Roku to weigh in
 
User avatar
RokuIsrar
Roku Engineering
Posts: 3
Joined: Tue May 12, 2015 3:17 pm

Re: Certs not accepted?

Fri Jun 10, 2016 3:50 pm

This thread is pretty old. This issue was fixed in OS release 6.2
 
bosborne
Posts: 141
Joined: Wed Jun 06, 2012 10:42 am

Re: Certs not accepted?

Thu Jun 16, 2016 9:47 am

I just replied to an email Joel sent me asking if I still had an issue. I sent him some sample code that demonstrates the problem still exists for me.
 
User avatar
hugetv
Posts: 270
Joined: Sun Sep 07, 2014 10:13 pm
Location: US

Re: Certs not accepted?

Tue Jun 21, 2016 2:34 pm

there will be no solution to this because I too like going on
Our system http://www.rokumanager.com
 
User avatar
RokuJoel
Posts: 1758
Joined: Mon Nov 14, 2011 5:22 pm

Re: Certs not accepted?

Fri Jul 01, 2016 3:30 pm

Response from Engineering:

Engineering wrote:
OK I found the problem. The certificate hostname comparison check on Roku OS components is case sensitve, so SSL handshake was failing in case of Roku OS components. However roUrlTransfer (curl) was ignoring case.

The developer can workaround this issue by using same host name in URL as in cert... i.e. Servername instead of servername. I have verified this.



- Hope that helps

- Joel

Who is online

Users browsing this forum: No registered users and 4 guests