Why are you setting the certificates depth? Was that just something you tried?

There's also no need to add the dev ID header (unless you're using it for something on your server) nor init the client certificates, but neither of those would cause the problem you're seeing. In firmware 6.1, they added a heartbleed fix that broke SSL connections to any server that doesn't support TLS 1.1, which could potentially be the issue here. Unfortunately, I'm not experienced enough with that side of things to know how to test if that's the case or not.

I appreciated the response. I've added those extras on the connection for testing. I believe they were required for some of our other https connections, but this video player with this specific server just dont want to play nice.

You could enable tcpdump on your Roku, run your test again, download the log file from your Roku to your PC, then examine the TLS handshaking sequence using Wireshark.

One possibility is that the Roku is only announcing support for TLS 1.0 when requesting videos with roVideoScreen, and the server is refusing to fulfill the connection if it requires that the client support TLS 1.2. I posted about a similar issue here: http://forums.roku.com/viewtopic.php?p=483874&sid=f9b2c289420f07dcda53ae75bd8c5b0a#p483912. In that case, I noticed that if a resource was requested using roUrlTransfer, then the Roku negotiated the use of TLS 1.2. However, if the same resource was requested using some of the built-in UI components (roPosterScreen, roSlideshow, etc.), then the Roku only negotiated use of TLS 1.0. Some CDNs seemed okay with that; others were not. I postulated that in certain cases the Roku was only supporting TLS 1.0, and asked for a response from a Roku person. No-one responded, however. It may be that your issue is related to the recent changes in the Roku TLS code.

In the meantime, try requesting the same video, except using "http" instead of "https".

Thanks for the help. I'll try the tcpdump and examine. By law we need to protect our streams, so http doesn't really work. It does work though with http instead of https.

Thanks @belltown for referencing the earlier post. I patched my channel by doing a string replace of "https" with "http" for the CDN URLs (Instagram/Facebook CDN in my case), but I've been nervous ever since that this will stop working since it relies on the CDN allowing HTTP which could change over time and would totally break my channel.

I hope this issue will get addressed by someone at Roku.

I took a quick look at the difference between the TLS handshaking used by roVideoScreen and roUrlTransfer. It appears that, like the other built-in components: roPosterScreen, roSlideshow, roImageCanvas, etc., roVideoScreen also will only negotiate a TLS session using TLS 1.0, whereas an attempt to retrieve the same resource using roUrlTransfer will be negotiated to use TLS 1.2.

Here's a Wireshark capture taken when retrieving a video using roVideoScreen:



And another capture retrieving the same video file using roUrlTransfer:



I set up my own server to use "strong" TLS encryption, refusing connections from clients that only support TLS 1.0 and got the same "handshakefailed" error reported by jedashford in his initial post, even though I could download the video successfully using roUrlTransfer:

------ Running ------
00:56:15.266  Starting ..
00:56:15.577  playVideo. roSystemLogEvent [21]-LogType=http.error. Datetime: 00:56:15.575
00:56:15.578  >     Url:              https://videos.nsa.mil/Videos/video-5secs.mp4
00:56:15.580  >     Status:           handshakefailed
00:56:15.597  >     HttpCode:         -1
00:56:15.598  >     Method:           GET
00:56:15.600  >     TargetIp:         192.168.0.100
00:56:15.603  >     OrigUrl:          https://videos.nsa.mil/Videos/video-5secs.mp4
00:56:15.744  playVideo. roVideoScreenEvent [11]-isStatusMessage. Message: Unspecified or invalid track path/url.
00:56:15.748  playVideo. roVideoScreenEvent [9]-isRequestFailed. Message: Index: -5. MediaFormat: ???
00:56:15.778  playVideo. roVideoScreenEvent [1]-isScreenClosed
00:56:15.781  Finished

It seems to me that there's something messed up with the Roku's TLS code as it pertains to the built-in components.

It looks like some CDNs are requiring their clients to connect using TLS 1.2 possibly due to the various security vulnerabilities discovered in earlier SSL/TLS versions, but this is not supported by the Roku's built-in components.

It's been almost a month since I first reported this issue, and there's been not a single word from anyone at Roku even acknowledging that they're even aware of the problem. I'm surprised. Most companies take security issues seriously these days once they're notified of a potential problem in their security protocols.

That looks pretty authoritative to me. I hope there's a fix or a workaround forthcoming. I suspect over time there will be more and more problems as various services tighten up their security.

Can we get someone from Roku to weigh in on this? I am experiencing this exact issue. This was a total PITA to debug because some things work (roUrlTransfers) and others do not (roPosterScreen).

This is a security bug for us since we need to use http for our Roku customers. Would love some more info on a work around.