FAQ  •  Register  •  Login

Issue with Java SSL handshake

<<

Anarchon

Serviio newbie

Posts: 4

Joined: Mon Jul 04, 2016 5:24 pm

Post Mon Jul 04, 2016 5:55 pm

Issue with Java SSL handshake

Hello, I've got some trouble regarding communication using secure HTTP protocol.
What I'm trying to achieve is to watch twitch stream on my Panasonic Viera TV.

I'm running Serviio on ZyXel NAS326, using Serviio version 1.6.1
I'm using JRE 1.8.0_91
I have installed version 16 of bogenpirat's twitch plugin

The trouble starts on serviio startup, when its checking library for online resources, in the log it shows:
  Code:
2016-07-04 16:42:43,626 WARN  [FeedUpdaterWorker] An error occured while parsing the online resource https://www.twitch.tv/circon/v/75071194, waiting for expiry time to try again: Unexpected error while invoking plugin (twitch.tv): java.security.cert.CertificateException: No subject alternative DNS name matching usher.twitch.tv found.
org.serviio.library.online.metadata.OnlineResourceParseException: Unexpected error while invoking plugin (twitch.tv): java.security.cert.CertificateException: No subject alternative DNS name matching usher.twitch.tv found


So far, I've tried advice no. 5 in this (adding '-Djdk.tls.trustNameService=true' to the JAVA_OPTS line in 'serviiod.sh') with no luck. Also tried to restart the NAS a few times, didn't help either.

I'm not really a Java kind of guy, so If anyone could help, I'd appreciate it.
Thanks.
<<

Anarchon

Serviio newbie

Posts: 4

Joined: Mon Jul 04, 2016 5:24 pm

Post Sat Jul 09, 2016 2:42 pm

Re: Issue with Java SSL handshake

All right, after reinstalling whole ffp and serviio, I bumped into the same problem again.
After a bit of googling, I tapped into ssl client to see what's going on using typing this in PuTTY:
  Code:
openssl s_client -connect 23.160.0.254:443

The result at the very end was:
  Code:
Verify return code: 20 (unable to get local issuer certificate)

So I looked into certificate folder under '/ffp/etc/ssl/certs' and found just some ReadMe saying that root certificates are no longer supported.
I tried to specify certs path as suggested in this thread as an answer, but since there are no certs in the folder it obviusly doesn't help.

Look like local certs are not generated for some reason.
<<

Anarchon

Serviio newbie

Posts: 4

Joined: Mon Jul 04, 2016 5:24 pm

Post Sat Jul 09, 2016 5:05 pm

Re: Issue with Java SSL handshake

Now It seems I'm really stuck.

This is log from openssl:
  Code:
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Twitch Interactive, Inc./CN=usher.ttvnw.net
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgIQByOasi1lI8sQ8kt5AwW0VjANBgkqhkiG9w0BAQsFADBN
...
D9QCwEuinkpQGrlarp5S65xoII4ZIv7LebplF+W3dGNhfGJ4A2BjkXryz8VO4wN+
BnpW4SSkLJ8pdOyIkR+iCJiAHF2VRz85Ah4=
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
...
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=Twitch Interactive, Inc./CN=usher.ttvnw.net
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3177 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 70AC28C2DAC3E2B836653BB6DECC39AA6EAFCEFD74FE50F78A5DFD4848CF5AFB
    Session-ID-ctx:
    Master-Key: 2A50DD4095F926E3576A96E332383A879D8242151EE2D51C1631B7A1563CCF759ADBAD0A8CDEBE6CD32B972F86138CD2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 5b e1 3f bf 67 19 ff 2b-2c af 9d 46 44 e3 32 a9   [.?.g..+,..FD.2.
    0010 - 8a 48 82 a0 c0 26 8f 61-6a a0 13 c7 8e 50 98 b6   .H...&.aj....P..
    0020 - ce 41 6a 82 a6 21 c9 41-b0 d4 23 63 03 b3 cd 56   .Aj..!.A..#c...V
    0030 - e0 98 f0 f8 34 90 da 20-7e cc a8 d2 98 8b 84 41   ....4.. ~......A
    0040 - 7a c6 3d ae 49 89 18 35-ce d3 bf 9d 9a 48 15 4a   z.=.I..5.....H.J
    0050 - bf 2e 48 5c 93 6b f8 5c-03 c9 44 10 54 fe da 4c   ..H\.k.\..D.T..L
    0060 - 40 c8 58 d2 0d 7c 02 10-f1 a8 0a 0d a4 ca ab 29   @.X..|.........)
    0070 - 02 66 25 e9 50 d9 71 4a-71 6e c9 f7 90 bd 6d ee   .f%.P.qJqn....m.
    0080 - 11 8c e1 da cf e7 5b 2b-2a c5 58 bb 95 6f ff 18   ......[+*.X..o..
    0090 - 9f d2 46 00 9d 10 fe 07-76 90 1e 7a f7 5c 9f fa   ..F.....v..z.\..
    00a0 - ae 7b c1 3e f5 2b f7 6e-af e8 be f3 7a e0 ea 42   .{.>.+.n....z..B

    Start Time: 1468071039
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed


I've tried to download the needed issuer SHA2 Secure Server CA certificate from DigiCert.com to my certs dir then executed
  Code:
openssl s_client -CApath /ffp/etc/ssl/certs/DigiCertSHA2SecureServerCA.crt 23.160.0.254:443

The outcome is still the same :cry:
<<

Anarchon

Serviio newbie

Posts: 4

Joined: Mon Jul 04, 2016 5:24 pm

Post Sat Jul 09, 2016 6:05 pm

Re: Issue with Java SSL handshake

SO I've managed to get it to work with 'verify return code of 0' under openssl, which means all good.
Only thing that it needed was to navigate it to right keystore file, which I downloaded from here
So much for debugging, anyways.

Next step I did was adding key to Java keystore, which I did using this tutorial.
Anyways it still doesn't work. In attachment is the whole logfile
Attachments
serviio.log
(30.2 KiB) Downloaded 502 times

Return to Panasonic

Who is online

Users browsing this forum: No registered users and 15 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software for PTF.