I got some problem with displaying images and streaming videos from my Roku app recently. After skimming through the network traffic, I figured out that the server is using HTTPS and most of the Roku components implementing ifHttpAgent only allow TLS_RSA_WITH_AES_128_CBC_SHA cipher suite in TLS (I'm not saying "all of them" because I haven't tested every single component).
This means Roku gives the server no choice but to always use that cipher suite. Is there any reason for such restricted setting ? Does Roku plan to support more cipher suite in the future ?
The TLS_RSA_WITH_AES_128_CBC_SHA cipher (or AES128-SHA as OpenSSL calls it) is considered an insecure cipher because its use of CBC encryption makes it vulnerable to the POODLE attack.
Around September, 2014, it was revealed that SSLv3 was vulnerable to such attacks. However, in December, 2014, it was further realized that the POODLE vulnerability also affects certain TLS implementations making them vulnerable as well when CBC ciphers are used. For that reason, many servers have been removing support for CBC ciphers. For example, any server implementing Mozilla's 'Modern' TLS recommended configuration will not accept this cipher.
I'm not surprised that some servers refuse to accept it. I am surprised that it's the ONLY cipher suite negotiated for the Roku UI components (roVideoScreen, etc, but not roUrlTransfer).
This problem has been reported many times before. I have yet to see a single comment by anyone from Roku on these issues, so I have no idea whether it works this way for a reason, whether they plan to change it, or whether they just don't understand what the problem is.
It appears there was a minor change made in the Roku firmware since these problems were supported. Previously, Roku would only negotiate a TLS 1.0 session. However, it now negotiates a TLS 1.2 session. However, it doesn't look like they changed the list of supported ciphers. So if your server or CDN refuses to support AES128-SHA then you're out of luck. Depending on the server configuration, your server may allow you to connect with the "http" rather than the "https" scheme, although that obviously has security implications.
I was a bit suprised that no one has reported the issue about SSL cipher suite here. But looking at the links in previous post, this SSL issue looks to be a norm and there's no way Roku is not aware of it. From a developer's perspective, this deserves an explanation from Roku but sadly all we got is complete silence.