Page 1 of 1

Issue with Java SSL handshake

PostPosted: Mon Jul 04, 2016 5:55 pm
by Anarchon
Hello, I've got some trouble regarding communication using secure HTTP protocol.
What I'm trying to achieve is to watch twitch stream on my Panasonic Viera TV.

I'm running Serviio on ZyXel NAS326, using Serviio version 1.6.1
I'm using JRE 1.8.0_91
I have installed version 16 of bogenpirat's twitch plugin

The trouble starts on serviio startup, when its checking library for online resources, in the log it shows:
2016-07-04 16:42:43,626 WARN  [FeedUpdaterWorker] An error occured while parsing the online resource, waiting for expiry time to try again: Unexpected error while invoking plugin ( No subject alternative DNS name matching found. Unexpected error while invoking plugin ( No subject alternative DNS name matching found

So far, I've tried advice no. 5 in this (adding '-Djdk.tls.trustNameService=true' to the JAVA_OPTS line in '') with no luck. Also tried to restart the NAS a few times, didn't help either.

I'm not really a Java kind of guy, so If anyone could help, I'd appreciate it.

Re: Issue with Java SSL handshake

PostPosted: Sat Jul 09, 2016 2:42 pm
by Anarchon
All right, after reinstalling whole ffp and serviio, I bumped into the same problem again.
After a bit of googling, I tapped into ssl client to see what's going on using typing this in PuTTY:
openssl s_client -connect

The result at the very end was:
Verify return code: 20 (unable to get local issuer certificate)

So I looked into certificate folder under '/ffp/etc/ssl/certs' and found just some ReadMe saying that root certificates are no longer supported.
I tried to specify certs path as suggested in this thread as an answer, but since there are no certs in the folder it obviusly doesn't help.

Look like local certs are not generated for some reason.

Re: Issue with Java SSL handshake

PostPosted: Sat Jul 09, 2016 5:05 pm
by Anarchon
Now It seems I'm really stuck.

This is log from openssl:
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Twitch Interactive, Inc./
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/ Global Root CA
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=Twitch Interactive, Inc./
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
No client certificate CA names sent
SSL handshake has read 3177 bytes and written 342 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 70AC28C2DAC3E2B836653BB6DECC39AA6EAFCEFD74FE50F78A5DFD4848CF5AFB
    Master-Key: 2A50DD4095F926E3576A96E332383A879D8242151EE2D51C1631B7A1563CCF759ADBAD0A8CDEBE6CD32B972F86138CD2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 5b e1 3f bf 67 19 ff 2b-2c af 9d 46 44 e3 32 a9   [.?.g..+,..FD.2.
    0010 - 8a 48 82 a0 c0 26 8f 61-6a a0 13 c7 8e 50 98 b6   .H...&.aj....P..
    0020 - ce 41 6a 82 a6 21 c9 41-b0 d4 23 63 03 b3 cd 56   .Aj..!.A..#c...V
    0030 - e0 98 f0 f8 34 90 da 20-7e cc a8 d2 98 8b 84 41   ....4.. ~......A
    0040 - 7a c6 3d ae 49 89 18 35-ce d3 bf 9d 9a 48 15 4a   z.=.I..5.....H.J
    0050 - bf 2e 48 5c 93 6b f8 5c-03 c9 44 10 54 fe da 4c   ..H\.k.\..D.T..L
    0060 - 40 c8 58 d2 0d 7c 02 10-f1 a8 0a 0d a4 ca ab 29   @.X..|.........)
    0070 - 02 66 25 e9 50 d9 71 4a-71 6e c9 f7 90 bd 6d ee   .f%.P.qJqn....m.
    0080 - 11 8c e1 da cf e7 5b 2b-2a c5 58 bb 95 6f ff 18   ......[+*.X..o..
    0090 - 9f d2 46 00 9d 10 fe 07-76 90 1e 7a f7 5c 9f fa   ..F.....v..z.\..
    00a0 - ae 7b c1 3e f5 2b f7 6e-af e8 be f3 7a e0 ea 42   .{.>.+.n....z..B

    Start Time: 1468071039
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

I've tried to download the needed issuer SHA2 Secure Server CA certificate from to my certs dir then executed
openssl s_client -CApath /ffp/etc/ssl/certs/DigiCertSHA2SecureServerCA.crt

The outcome is still the same :cry:

Re: Issue with Java SSL handshake

PostPosted: Sat Jul 09, 2016 6:05 pm
by Anarchon
SO I've managed to get it to work with 'verify return code of 0' under openssl, which means all good.
Only thing that it needed was to navigate it to right keystore file, which I downloaded from here
So much for debugging, anyways.

Next step I did was adding key to Java keystore, which I did using this tutorial.
Anyways it still doesn't work. In attachment is the whole logfile