Help

Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
zepvn
Visitor
‎01-05-2016 03:39 AM

Lacking of supported SSL/TLS cipher suites

I got some problem with displaying images and streaming videos from my Roku app recently. After skimming through the network traffic, I figured out that the server is using HTTPS and most of the Roku components implementing ifHttpAgent only allow TLS_RSA_WITH_AES_128_CBC_SHA cipher suite in TLS (I'm not saying "all of them" because I haven't tested every single component).

This means Roku gives the server no choice but to always use that cipher suite. Is there any reason for such restricted setting ? Does Roku plan to support more cipher suite in the future ?
0 Kudos
Reply
3 REPLIES 3
belltown
Roku Guru
‎01-05-2016 10:04 PM

Re: Lacking of supported SSL/TLS cipher suites

The TLS_RSA_WITH_AES_128_CBC_SHA cipher (or AES128-SHA as OpenSSL calls it) is considered an insecure cipher because its use of CBC encryption makes it vulnerable to the POODLE attack.

Around September, 2014, it was revealed that SSLv3 was vulnerable to such attacks. However, in December, 2014, it was further realized that the POODLE vulnerability also affects certain TLS implementations making them vulnerable as well when CBC ciphers are used. For that reason, many servers have been removing support for CBC ciphers. For example, any server implementing Mozilla's 'Modern' TLS recommended configuration will not accept this cipher.

I'm not surprised that some servers refuse to accept it. I am surprised that it's the ONLY cipher suite negotiated for the Roku UI components (roVideoScreen, etc, but not roUrlTransfer).

This problem has been reported many times before. I have yet to see a single comment by anyone from Roku on these issues, so I have no idea whether it works this way for a reason, whether they plan to change it, or whether they just don't understand what the problem is.

http://forums.roku.com/viewtopic.php?f=34&t=85897
http://forums.roku.com/viewtopic.php?f=34&t=84701
http://forums.roku.com/viewtopic.php?p=487211
http://forums.roku.com/viewtopic.php?p=503280

It appears there was a minor change made in the Roku firmware since these problems were supported. Previously, Roku would only negotiate a TLS 1.0 session. However, it now negotiates a TLS 1.2 session. However, it doesn't look like they changed the list of supported ciphers. So if your server or CDN refuses to support AES128-SHA then you're out of luck. Depending on the server configuration, your server may allow you to connect with the "http" rather than the "https" scheme, although that obviously has security implications.

Roku, any comment??
0 Kudos
Reply
zepvn
Visitor
‎01-07-2016 01:44 AM

Re: Lacking of supported SSL/TLS cipher suites

I was a bit suprised that no one has reported the issue about SSL cipher suite here. But looking at the links in previous post, this SSL issue looks to be a norm and there's no way Roku is not aware of it.
From a developer's perspective, this deserves an explanation from Roku but sadly all we got is complete silence.
0 Kudos
Reply
mbenedict261
Channel Surfer
‎05-24-2024 04:14 PM

Re: Lacking of supported SSL/TLS cipher suites

Roku development is a joke. I have this same issue now and there's literally so little information and community, I'm not sure how people are still using this. 

0 Kudos
Reply
Need Assistance?
Welcome to the Roku Community! Feel free to search our Community for answers or post your question to get help.

Become a Roku Streaming Expert!

Share your expertise, help fellow streamers, and unlock exclusive rewards as part of the Roku Community. Learn more.