Tom,
I'm seeing this issue with a 3rd-party CDN. I'm a bit confused because the script that you provided does not indicate that the CDN is using the AddTrust certificate:
verify depth is 5
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = cdn2.instanttvchannel.com
verify return:1
DONE
Here's an example URL. The SSL version no longer works on the Roku platform, but it does work correctly in current browsers.
I have two questions:
1) The suggested roUrlTransfer.EnablePeerVerification(False) workaround seems to only affect that particular instance of roUrlTransfer instead of being a system-wide setting. Can you provide a specific example of how roUrlTransfer is used to prevent Video nodes from failing to verify certificates for SSL stream URLs?
2) If I understand the UC Berkeley advisory correctly, OpenSSL 1.0.0 currently used in Roku OS has "broken certificate path validation logic". I believe this is what you are referring to when you mentioned that Roku OS will have a handshake failure under certain circumstances. In addition to updating the certificates list, are there plans to update Roku OS to use the current stable version 1.1.1 of OpenSSL sometime in the very near future?
Thanks,
Scott Musser
Instant TV Channel
