The TLS_RSA_WITH_AES_128_CBC_SHA cipher (or AES128-SHA as OpenSSL calls it) is considered an insecure cipher because its use of CBC encryption makes it vulnerable to the POODLE attack.
Around September, 2014, it was revealed that SSLv3 was vulnerable to such attacks. However, in December, 2014, it was further realized that the POODLE vulnerability also affects certain TLS implementations making them vulnerable as well when CBC ciphers are used. For that reason, many servers have been removing support for CBC ciphers. For example, any server implementing Mozilla's
'Modern' TLS recommended configuration will not accept this cipher.
I'm not surprised that some servers refuse to accept it. I am surprised that it's the ONLY cipher suite negotiated for the Roku UI components (roVideoScreen, etc, but not roUrlTransfer).
This problem has been reported many times before. I have yet to see a single comment by anyone from Roku on these issues, so I have no idea whether it works this way for a reason, whether they plan to change it, or whether they just don't understand what the problem is.
http://forums.roku.com/viewtopic.php?f=34&t=85897http://forums.roku.com/viewtopic.php?f=34&t=84701http://forums.roku.com/viewtopic.php?p=487211http://forums.roku.com/viewtopic.php?p=503280It appears there was a minor change made in the Roku firmware since these problems were supported. Previously, Roku would only negotiate a TLS 1.0 session. However, it now negotiates a TLS 1.2 session. However, it doesn't look like they changed the list of supported ciphers. So if your server or CDN refuses to support AES128-SHA then you're out of luck. Depending on the server configuration, your server may allow you to connect with the "http" rather than the "https" scheme, although that obviously has security implications.
Roku, any comment??
