Help

Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mjnewman
Visitor
‎01-13-2015 10:10 AM

roUrlTransfer & SetCertificatesFile

Hello!

I'm working with the sample code urlUtils.brs and attempting to load a JSON file over HTTPS.

obj = CreateObject("roUrlTransfer")
obj.SetPort(CreateObject("roMessagePort"))
obj.SetCertificatesFile("common:/certs/ca-bundle.crt")
obj.AddHeader("X-Roku-Reserved-Dev-Id", "")
obj.InitClientCertificates()	
obj.AddHeader("Content-Type", "application/x-www-form-urlencoded")
obj.EnableEncodings(true)
obj.EnableFreshConnection(true)
obj.SetUrl(url)


It appears our server is properly configured with HTTPS and is working in FireFox, CURL, and openssl.

When attempting PostFromString(request as String) we're receiving the -35 error with the following message:

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

I've tried a variety of certificates including the common:/certs/ca-bundle.crt as well as our own PEM file. All yield the same error and the connection does work over HTTP.

I've also confirmed our PEM file can validate when issuing a direct curl with the command: curl --cacert cert.pem https://##url.com##/roku/login (not the actual URL, just a placeholder for reference). The connection still does not work when the PEM is included within the App: obj.SetCertificatesFile("pkg:/ssl/cert.pem")

As a test, I've downgraded our server to allow SSLV3 connections. This works directly when issuing the command via curl: curl -v -3 https://##url.com## (not the actual URL, just a placeholder for reference) – The Roku is still throwing the same -35 error.

Additionally, does the Roku cache URLs and DNS? We've spun up a number of test URLs and instances and are attempting various server configuration changes and want to be sure the Roku is making connections that are not cached. I've tried turning off the power, reinstalling the App and also resetting to the default factory connection.

Does anyone have a solution or can point out what I am doing wrong? Any insight or help would be greatly appreciated.
0 Kudos
Reply
10 REPLIES 10
TheEndless
Channel Surfer
‎01-13-2015 11:06 AM

Re: roUrlTransfer & SetCertificatesFile

Not recommended as a long term solution, but have you tried ifUrlTransfer.EnablePeerVerification(False) and/or ifUrlTransfer.EnableHostVerification(False)? I'm not sure where your cert came from, but I've needed to disable verification for self-signed certs.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
Reply
mjnewman
Visitor
‎01-13-2015 11:27 AM

Re: roUrlTransfer & SetCertificatesFile

Thank you – I just added both in and unfortunately still receiving the same error.

I've got it working with the original code and loading data from another server that's running Apache2 with TLS1.2:

TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

We're working to upgrade our primary server, which is TLS1.0 and still not working with the Roku App, to see if that is indeed the issue:

TLS 1.0 connection using TLS_RSA_WITH_RC4_128_SHA


I don't believe I can set the SSL version on the Roku (at least that I've found) as that might be one way around this.
0 Kudos
Reply
TheEndless
Channel Surfer
‎01-13-2015 11:59 AM

Re: roUrlTransfer & SetCertificatesFile

What firmware version are you running on the Roku you're testing with?
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
Reply
mjnewman
Visitor
‎01-13-2015 12:14 PM

Re: roUrlTransfer & SetCertificatesFile

Model: 4200X - Roku 3
Software Version: 6.1 - Build 5517
Firmware: Roku/DVP-5.6 (045.06E00060A)
0 Kudos
Reply
TheEndless
Channel Surfer
‎01-13-2015 12:19 PM

Re: roUrlTransfer & SetCertificatesFile

"mjnewman" wrote:
Model: 4200X - Roku 3
Software Version: 6.1 - Build 5517
Firmware: Roku/DVP-5.6 (045.06E00060A)

I believe there was a Heartbleed fix in 6.1 that could be the cause of your problem. I had a similar issue with one of my clients that required them to update their servers to support TLS 1.2.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
Reply
mjnewman
Visitor
‎01-13-2015 12:25 PM

Re: roUrlTransfer & SetCertificatesFile

Thank you – That definitely makes sense.

I just reset a Dev server to accept SSLv3 and factory reset the Roku. It was able to connect.

Obviously running the server on SSLv3 is a no-go and we'll be upgrading to TLS 1.2.

I was enabling "fresh connections" and have been incrementing the App build versions while making adjustments on the server. None of which appeared to be recognized by the Roku.

It looks like the factory reset cleared things out, but do you know if this is standard on the Roku? Once we upgrade to TLS 1.2, will I need to factory reset all of our test devices? Powering down the Roku and restarting didn't seem to work.

Thank you again for you help on this – It's very much appreciated.
0 Kudos
Reply
TheEndless
Channel Surfer
‎01-13-2015 12:32 PM

Re: roUrlTransfer & SetCertificatesFile

"mjnewman" wrote:
It looks like the factory reset cleared things out, but do you know if this is standard on the Roku? Once we upgrade to TLS 1.2, will I need to factory reset all of our test devices? Powering down the Roku and restarting didn't seem to work.

No, you definitely shouldn't need to factory reset. I also wouldn't expect the Roku to cache the connection between app sessions, especially not over SSL/TLS. Sounds like maybe a coincidence or an unrelated issue.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
Reply
mjnewman
Visitor
‎01-13-2015 12:43 PM

Re: roUrlTransfer & SetCertificatesFile

Agreed, although that seems to be the case. Looks like our network isn't the issue as we're able to see the updates in effect.

Thanks again for you help and insight – It looks like the server upgrade to the latest version of Apache2 and TLS1.2 will work.
0 Kudos
Reply
Veeta
Visitor
‎01-15-2015 10:27 AM

Re: roUrlTransfer & SetCertificatesFile

I think my channel is affected by this same issue since 6.1 firmware updates. Unfortunately, the connection problems are intermittent and I don't control the server.

Are there any more details you might have about SSL changes from old firmware vs. 6.1? I'd like to be able to provide some context to those who manage the service.
0 Kudos
Reply
Need Assistance?
Welcome to the Roku Community! Feel free to search our Community for answers or post your question to get help.

Become a Roku Streaming Expert!

Share your expertise, help fellow streamers, and unlock exclusive rewards as part of the Roku Community. Learn more.