Roku Developer Program

Developers and content creators—a complete solution for growing an audience directly.
cancel
Showing results for 
Search instead for 
Did you mean: 
mjnewman
Level 7

roUrlTransfer & SetCertificatesFile

Hello!

I'm working with the sample code urlUtils.brs and attempting to load a JSON file over HTTPS.

obj = CreateObject("roUrlTransfer")
obj.SetPort(CreateObject("roMessagePort"))
obj.SetCertificatesFile("common:/certs/ca-bundle.crt")
obj.AddHeader("X-Roku-Reserved-Dev-Id", "")
obj.InitClientCertificates()
obj.AddHeader("Content-Type", "application/x-www-form-urlencoded")
obj.EnableEncodings(true)
obj.EnableFreshConnection(true)
obj.SetUrl(url)


It appears our server is properly configured with HTTPS and is working in FireFox, CURL, and openssl.

When attempting PostFromString(request as String) we're receiving the -35 error with the following message:

error:14077410Smiley FrustratedSL routinesSmiley FrustratedSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

I've tried a variety of certificates including the common:/certs/ca-bundle.crt as well as our own PEM file. All yield the same error and the connection does work over HTTP.

I've also confirmed our PEM file can validate when issuing a direct curl with the command: curl --cacert cert.pem https://##url.com##/roku/login (not the actual URL, just a placeholder for reference). The connection still does not work when the PEM is included within the App: obj.SetCertificatesFile("pkg:/ssl/cert.pem")

As a test, I've downgraded our server to allow SSLV3 connections. This works directly when issuing the command via curl: curl -v -3 https://##url.com## (not the actual URL, just a placeholder for reference) – The Roku is still throwing the same -35 error.

Additionally, does the Roku cache URLs and DNS? We've spun up a number of test URLs and instances and are attempting various server configuration changes and want to be sure the Roku is making connections that are not cached. I've tried turning off the power, reinstalling the App and also resetting to the default factory connection.

Does anyone have a solution or can point out what I am doing wrong? Any insight or help would be greatly appreciated.
0 Kudos
10 Replies
TheEndless
Level 7

Re: roUrlTransfer & SetCertificatesFile

Not recommended as a long term solution, but have you tried ifUrlTransfer.EnablePeerVerification(False) and/or ifUrlTransfer.EnableHostVerification(False)? I'm not sure where your cert came from, but I've needed to disable verification for self-signed certs.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
mjnewman
Level 7

Re: roUrlTransfer & SetCertificatesFile

Thank you – I just added both in and unfortunately still receiving the same error.

I've got it working with the original code and loading data from another server that's running Apache2 with TLS1.2:

TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

We're working to upgrade our primary server, which is TLS1.0 and still not working with the Roku App, to see if that is indeed the issue:

TLS 1.0 connection using TLS_RSA_WITH_RC4_128_SHA


I don't believe I can set the SSL version on the Roku (at least that I've found) as that might be one way around this.
0 Kudos
TheEndless
Level 7

Re: roUrlTransfer & SetCertificatesFile

What firmware version are you running on the Roku you're testing with?
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
mjnewman
Level 7

Re: roUrlTransfer & SetCertificatesFile

Model: 4200X - Roku 3
Software Version: 6.1 - Build 5517
Firmware: Roku/DVP-5.6 (045.06E00060A)
0 Kudos
TheEndless
Level 7

Re: roUrlTransfer & SetCertificatesFile

"mjnewman" wrote:
Model: 4200X - Roku 3
Software Version: 6.1 - Build 5517
Firmware: Roku/DVP-5.6 (045.06E00060A)

I believe there was a Heartbleed fix in 6.1 that could be the cause of your problem. I had a similar issue with one of my clients that required them to update their servers to support TLS 1.2.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
mjnewman
Level 7

Re: roUrlTransfer & SetCertificatesFile

Thank you – That definitely makes sense.

I just reset a Dev server to accept SSLv3 and factory reset the Roku. It was able to connect.

Obviously running the server on SSLv3 is a no-go and we'll be upgrading to TLS 1.2.

I was enabling "fresh connections" and have been incrementing the App build versions while making adjustments on the server. None of which appeared to be recognized by the Roku.

It looks like the factory reset cleared things out, but do you know if this is standard on the Roku? Once we upgrade to TLS 1.2, will I need to factory reset all of our test devices? Powering down the Roku and restarting didn't seem to work.

Thank you again for you help on this – It's very much appreciated.
0 Kudos
TheEndless
Level 7

Re: roUrlTransfer & SetCertificatesFile

"mjnewman" wrote:
It looks like the factory reset cleared things out, but do you know if this is standard on the Roku? Once we upgrade to TLS 1.2, will I need to factory reset all of our test devices? Powering down the Roku and restarting didn't seem to work.

No, you definitely shouldn't need to factory reset. I also wouldn't expect the Roku to cache the connection between app sessions, especially not over SSL/TLS. Sounds like maybe a coincidence or an unrelated issue.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
mjnewman
Level 7

Re: roUrlTransfer & SetCertificatesFile

Agreed, although that seems to be the case. Looks like our network isn't the issue as we're able to see the updates in effect.

Thanks again for you help and insight – It looks like the server upgrade to the latest version of Apache2 and TLS1.2 will work.
0 Kudos
Veeta
Level 7

Re: roUrlTransfer & SetCertificatesFile

I think my channel is affected by this same issue since 6.1 firmware updates. Unfortunately, the connection problems are intermittent and I don't control the server.

Are there any more details you might have about SSL changes from old firmware vs. 6.1? I'd like to be able to provide some context to those who manage the service.
0 Kudos