Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jedashford
Channel Surfer

Certs not accepted?

We have some of our HLS clips coming from an https server that Roku just doesnt like. See error below. It works on all platforms (multiple desktop browsers, Android web/native, iPhone/iPad, but I'm unable to get the roku to accept a connection to this server. I've tried all that I know how to do. Any hints from the community?

Video object config:
video.SetCertificatesFile("common:/certs/ca-bundle.crt")
video.AddHeader("X-Roku-Reserved-Dev-Id", "")
video.InitClientCertificates()
video.SetCertificatesDepth(3)

Error:

GetMessage: Download segment info
Unknown event: 31 msg: Download segment info
GetType: 21
typeName: roSystemLogEvent
GetInfo: Status: handshakefailed
LogType: http.error

TargetIp: 54.230.7.106
HttpCode: -1
Datetime: <Component: roDateTime>
OrigUrl: https://loadbalancer.vidangel.com/strea ... 1429116106
Url: https://loadbalancer.vidangel.com/strea ... 1429116106
Method: GET
0 Kudos
15 REPLIES 15
TheEndless
Channel Surfer

Re: Certs not accepted?

Why are you setting the certificates depth? Was that just something you tried?

There's also no need to add the dev ID header (unless you're using it for something on your server) nor init the client certificates, but neither of those would cause the problem you're seeing. In firmware 6.1, they added a heartbleed fix that broke SSL connections to any server that doesn't support TLS 1.1, which could potentially be the issue here. Unfortunately, I'm not experienced enough with that side of things to know how to test if that's the case or not.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
jedashford
Channel Surfer

Re: Certs not accepted?

I appreciated the response. I've added those extras on the connection for testing. I believe they were required for some of our other https connections, but this video player with this specific server just dont want to play nice.
0 Kudos
belltown
Roku Guru

Re: Certs not accepted?

You could enable tcpdump on your Roku, run your test again, download the log file from your Roku to your PC, then examine the TLS handshaking sequence using Wireshark.

One possibility is that the Roku is only announcing support for TLS 1.0 when requesting videos with roVideoScreen, and the server is refusing to fulfill the connection if it requires that the client support TLS 1.2. I posted about a similar issue here: http://forums.roku.com/viewtopic.php?p=483874&sid=f9b2c289420f07dcda53ae75bd8c5b0a#p483912. In that case, I noticed that if a resource was requested using roUrlTransfer, then the Roku negotiated the use of TLS 1.2. However, if the same resource was requested using some of the built-in UI components (roPosterScreen, roSlideshow, etc.), then the Roku only negotiated use of TLS 1.0. Some CDNs seemed okay with that; others were not. I postulated that in certain cases the Roku was only supporting TLS 1.0, and asked for a response from a Roku person. No-one responded, however. It may be that your issue is related to the recent changes in the Roku TLS code.

In the meantime, try requesting the same video, except using "http" instead of "https".
0 Kudos
jedashford
Channel Surfer

Re: Certs not accepted?

Thanks for the help. I'll try the tcpdump and examine. By law we need to protect our streams, so http doesn't really work. It does work though with http instead of https.
0 Kudos
wpinkman
Visitor

Re: Certs not accepted?

Thanks @belltown for referencing the earlier post. I patched my channel by doing a string replace of "https" with "http" for the CDN URLs (Instagram/Facebook CDN in my case), but I've been nervous ever since that this will stop working since it relies on the CDN allowing HTTP which could change over time and would totally break my channel.

I hope this issue will get addressed by someone at Roku.
--andy (channel: Rokagram)
0 Kudos
belltown
Roku Guru

Re: Certs not accepted?

I took a quick look at the difference between the TLS handshaking used by roVideoScreen and roUrlTransfer. It appears that, like the other built-in components: roPosterScreen, roSlideshow, roImageCanvas, etc., roVideoScreen also will only negotiate a TLS session using TLS 1.0, whereas an attempt to retrieve the same resource using roUrlTransfer will be negotiated to use TLS 1.2.

Here's a Wireshark capture taken when retrieving a video using roVideoScreen:



And another capture retrieving the same video file using roUrlTransfer:



I set up my own server to use "strong" TLS encryption, refusing connections from clients that only support TLS 1.0 and got the same "handshakefailed" error reported by jedashford in his initial post, even though I could download the video successfully using roUrlTransfer:

------ Running ------
00:56:15.266 Starting ..
00:56:15.577 playVideo. roSystemLogEvent [21]-LogType=http.error. Datetime: 00:56:15.575
00:56:15.578 > Url: https://videos.nsa.mil/Videos/video-5secs.mp4
00:56:15.580 > Status: handshakefailed
00:56:15.597 > HttpCode: -1
00:56:15.598 > Method: GET
00:56:15.600 > TargetIp: 192.168.0.100
00:56:15.603 > OrigUrl: https://videos.nsa.mil/Videos/video-5secs.mp4
00:56:15.744 playVideo. roVideoScreenEvent [11]-isStatusMessage. Message: Unspecified or invalid track path/url.
00:56:15.748 playVideo. roVideoScreenEvent [9]-isRequestFailed. Message: Index: -5. MediaFormat: ???
00:56:15.778 playVideo. roVideoScreenEvent [1]-isScreenClosed
00:56:15.781 Finished


It seems to me that there's something messed up with the Roku's TLS code as it pertains to the built-in components.

It looks like some CDNs are requiring their clients to connect using TLS 1.2 possibly due to the various security vulnerabilities discovered in earlier SSL/TLS versions, but this is not supported by the Roku's built-in components.

It's been almost a month since I first reported this issue, and there's been not a single word from anyone at Roku even acknowledging that they're even aware of the problem. I'm surprised. Most companies take security issues seriously these days once they're notified of a potential problem in their security protocols.
0 Kudos
wpinkman
Visitor

Re: Certs not accepted?

That looks pretty authoritative to me. I hope there's a fix or a workaround forthcoming. I suspect over time there will be more and more problems as various services tighten up their security.
--andy (channel: Rokagram)
0 Kudos
bosborne
Visitor

Re: Certs not accepted?

Can we get someone from Roku to weigh in on this? I am experiencing this exact issue. This was a total PITA to debug because some things work (roUrlTransfers) and others do not (roPosterScreen).
0 Kudos
jedashford
Channel Surfer

Re: Certs not accepted?

This is a security bug for us since we need to use http for our Roku customers. Would love some more info on a work around.
0 Kudos