Skip to content
This repository

AUTH_WEB_LOGIN_NOT_ALLOWED error in libpiano #174

Closed
funnelfiasco opened this Issue November 09, 2011 · 61 comments
funnelfiasco

With pianobar 2011.11.09 on Fedora 16:

[1010 bcotton@sheldon ~/devel/pianobar ]$ pianobar
Welcome to pianobar (2011.11.09)! Press ? for a list of commands.
[?] Email: bcotton@gmail.com
[?] Password:
(i) Login... libpiano: Unknown error AUTH_WEB_LOGIN_NOT_ALLOWED in com.savagebeast.radio.api.protocol.xmlrpc.RadioXmlRpcException: 192.168.161.24|1320858149323|AUTH_WEB_LOGIN_NOT_ALLOWED
Error: Unknown.
[1011 bcotton@sheldon ~/devel/pianobar ]$

The previous pianobar release worked yesterday, and my account works through the Pandora website. I'm not sure where the IP address comes from, no such address exists on my system. I do have a virtualbox virtual interface, but it's on 192.168.122.0/24.

East2West

I can confirm this error as well with the upgraded version.

Francisco Garza

This sounds like a scary error, looks like they made another update this morning.

isaaclw

pianobar authenticated normally 20 minutes ago... this is a very recent change.

East2West

I wonder if it has to do with this method that is being sent from the web version

4342 101.353385 192.168.1.106 208.85.40.20 HTTP/XML POST /radio/xmlrpc/v33?rid=8905570P&method=canListen&arg1= HTTP/1.1

The response contains three fields, canListen (boolean), psn(empty value) psnLid (empty value)

ZigZagJoe

my client is still working fine - i suspect this is relating to [other clients] not using SSL for the auth call. i don't use canlisten, either, but i DO ssl it. Will check in a moment.

Confirmed: the issue is not fetching listener.authenticateListener over a SSL'd connection. Turned it off, got this error. Afaik, pianobar doesn't have support for SSL in its fetching library, so that would have to be fixed first.

isaaclw

ZigZagJoe: I'd be interested in a temporary workaround if you can explain how you disable ssl.
Edit: I guess that's actually "how to enable ssl"

ZigZagJoe

A short term fix would be bringing in curl or some such for the authentication call only, while promy adds SSL support to the pianobar fetch library. But there's no simple fix here, per se.

Tim Novinger

I'm having this issue too after updating.

clarkewd

Forgive me for my ignorance, but how do I get from 2011.11.09 to 2011.11.09-dev? (using homebrew?)

isaaclw

I already have that version:
isaac@pogo:~/Downloads/pianobar$ ./pianobar
Welcome to pianobar (2011.11.09-dev)! Press ? for a list of commands.
[?] Email: ******
[?] Password:
(i) Login... libpiano: Unknown error AUTH_WEB_LOGIN_NOT_ALLOWED in com.savagebeast.radio.api.protocol.xmlrpc.RadioXmlRpcException: 192.168.160.233|1320865031646|AUTH_WEB_LOGIN_NOT_ALLOWED
Error: Unknown.

isaaclw

Oh... Sharpie wasn't actually saying that that's the fix... His comment was just an automatic reference since he mentioned this ticket in the other ticket.

That's confusing.

George "elb0w"  Tsafas

pianobar::master ✔ $ pianobar gtsafas@george 14:06:57
Welcome to pianobar (2011.11.09-dev)! Press ? for a list of commands.
[?] Email:
[?] Password:
(i) Login... libpiano: Unknown error AUTH_WEB_LOGIN_NOT_ALLOWED in com.savagebeast.radio.api.protocol.xmlrpc.RadioXmlRpcException: 192.168.160.233|1320865572764|AUTH_WEB_LOGIN_NOT_ALLOWED
Error: Unknown.

Drew Liszewski
r4 commented November 09, 2011

I can confirm the error on Arch Linux as well.

http://paste.pocoo.org/show/505407/

PromyLOPh
Owner

pianobar has experimental SSL support in the tls branch. Please give it a try.

Justin Rainbow

Having a different error on the tls branch Network error: TLS handshake failed.

Bobby Powers

same with tls branch:

(i) Login... Network error: TLS handshake failed.

Asmundr

TLS branch works here
running Arch Linux i686

clarkewd

Would it be possible to add some notes on how to build for OS X in the install file? I'm getting this error:

ld: symbol(s) not found for architecture i386
collect2: ld returned 1 exit status
make: *** [pianobar] Error 1

Seems like I had this in the past and fixed it, but I don't remember what I did now.

PromyLOPh
Owner

There’s no proxy support yet. Therefore the handshake fails.

isaaclw

I've installed libcurl3-gnutls-dev, which helps with building the tls branch, but I'm still having troubles compiling...

Steve

Confirmed TLS branch working on Ubuntu 11.10 amd64: With a previously working pianobar

Instructions:
git clone -b tls https://github.com/PromyLOPh/pianobar.git
sudo apt-get install libgnutls-dev
cd pianobar
make
sudo make install

PromyLOPh
Owner

Poor man’s proxy support: https://gist.github.com/1352755

Would it be possible to add some notes on how to build for OS X in the install file?

There is a note about OS X in INSTALL.

babyhuey23

I have libgnutls-dev installed but I am getting the error:
undefined reference to `gnutls_certificate_set_verify_function'
when I try to compile

isaaclw

``c99 -O2 -DNDEBUG src/main.o src/player.o src/settings.o src/terminal.o src/ui_act.o src/ui.o src/ui_readline.o src/ui_dispatch.o src/libpiano/crypt.o src/libpiano/piano.o src/libpiano/xml.o \
src/libwaitress/waitress.o src/libezxml/ezxml.o -lao -lpthread -lm \
-lfaad -lmad -lgnutls -o pianobar
src/libwaitress/waitress.o: In function
WaitressFetchCall':
waitress.c:(.text+0xcae): undefined reference to `gnutls_certificate_set_verify_function'

Hopefully I didn't minimize it too much.
libgnutls-dev, libcurl4-gnutls-dev are both installed (ubuntu 11.04 amd)
clarkewd

@PromyLOPh - thanks. it is in https://raw.github.com/PromyLOPh/pianobar/tls/INSTALL but not in https://raw.github.com/PromyLOPh/pianobar/master/INSTALL

I was looking at the wrong one. Any reason a note for OS X is not in the master too?

PromyLOPh
Owner
>= gnutls-2.10.0 is required. Which version do you have installed?
clarkewd

Successful build on OS X, but TLS handshake fails.

brew install gnutls
git clone -b tls https://github.com/PromyLOPh/pianobar.git
cd pianobar/
make clean && make CFLAGS="-O2 -DNDEBUG -W64"


Welcome to pianobar (2011.11.09-dev)! Press ? for a list of commands.
(i) Login... Network error: TLS handshake failed.
Drew Liszewski
r4 commented November 09, 2011

I'm failing on the handshake as well.

lsuchocki

Fix for my "TLS handshake failed"

Defaults to finding CA root certificates in:
/etc/ssl/certs/ca-certificates.crt

If your is in a different directory, add a ~/.config/pianobar/config option to something like this:

tls_ca_path = /etc/pki/tls/certs/ca-bundle.crt

PromyLOPh
Owner

Please use the branch tls-emergency or apply the patch posted above if you’re behind a proxy.

edit: Ah, yes. That’s another possible point of failure, lsuchocki.

Andrew Moffat

i made https://github.com/amoffat/pypandora so i'm looking at the issue as well. i'm experiencing the same error, but just from a quick glance, it looks like pandora removed the authenticateListener method and added a createListener method, which doesn't return xml, but an xml string embedded in json (i think, i can't remember). it looks like the authentication token to use pandora is embedded in this xml

i think what we need is the xml that createListener sends out (before encryption), and to parse the returning data to extract the token

isaaclw

updating to tls 2.12 fixes my compile issue.
Once I get a chance I'll figure out how to set up sid (http://packages.debian.org/sid/libgnutls-dev) for this package. For now I just added sid, and did an update on this specific package, then removed sid.

Drew Liszewski
r4 commented November 09, 2011

TLS handshake error still persists...

My config file.. http://paste.pocoo.org/show/505460/

clarkewd

Working On OS X!!

//download the root certificates from some sketchy site I found in google:
wget -O ~/pianobar-cacert.pem http://curl.haxx.se/ca/cacert.pem

//add the path to the pianobar config file
echo "tls_ca_path = $HOME/pianobar-cacert.pem" >> ~/.config/pianobar/config

//install the dev tools
brew install gnutls

//clone the emergency branch
git clone -b tls-emergency https://github.com/PromyLOPh/pianobar.git
cd pianobar/
make clean && make CFLAGS="-O2 -DNDEBUG -W64"

//run pianobar from the current directory (just "pianobar" instead of "./pianobar" may fail if it is elsewhere in the path )
./pianobar

Welcome to pianobar (2011.11.09-dev)! Press ? for a list of commands.
(i) Login... Ok.
(i) Get stations... Ok.
JP Bader

I don't know if it's just me, but brew can't find a formula for libgnutls-dev

Justin Rainbow

Adding the cert http://curl.haxx.se/ca/cacert.pem works for me on OS X Lion. Thanks @clarkewd

funnelfiasco

On Fedora 16, setting
tls_ca_path = /etc/ssl/certs/ca-bundle.crt

with the tls branch works.

Bobby Powers

like @funnelfiasco, setting the cert path as @lsuchocki suggests fixes things for me!

Randall Randall

Clarkewd's cacert solution worked for me, too, though I am using tls instead of tls-emergency, and just put "depends_on 'gnutls'" in the pianobar formula.

Andrew Moffat

i can confirm that authenticating to https fixes the problem, but it doesn't look like the pandora player on the website is doing only that.

pianobar and pypandora are authenticating at /radio/xmlrpc/vVERSION with a POST, but the pandora.com player is authenticating at /radio/jsonp with a GET. the fact that we're still able to auth at the old endpoint probably means that they're in the process of migrating authentication code, so just a heads up, i won't be surprised if it breaks again in the near future

clarkewd

had one typo earlier - use:

brew install gnutls

not

brew install libgnutls-dev

sorry about that

JP Bader

confirmed it works now, thanks @clarkewd!

daphenix

Yep, Fedora 15 got it working with the cert clarkewd found and tls-emergency as well. Thanks.

mzilikazi

TLS branch working on Debian testing:

apt-cache policy libgnutls26 libgnutls-dev
libgnutls26:
Installed: 2.12.11-1
Candidate: 2.12.11-1
Version table:
*** 2.12.11-1 0
500 http://mirrors.xmission.com/debian/ testing/main i386 Packages
100 /var/lib/dpkg/status
2.8.6-1 0
500 http://mirrors.xmission.com/debian/ stable/main i386 Packages
libgnutls-dev:
Installed: 2.12.11-1
Candidate: 2.12.11-1
Version table:
*** 2.12.11-1 0
500 http://mirrors.xmission.com/debian/ testing/main i386 Packages
100 /var/lib/dpkg/status
2.8.6-1 0
500 http://mirrors.xmission.com/debian/ stable/main i386 Packages

clarkewd

Just so you know the "cert" that I found is a list of "CA root certificates" which are publicly available and usually come installed with web browsers. They are basically public keys for authorized SSL providers (or "certificate authorities (CA)", like Thwarte. The reason that pianobar was failing is because it didn't have the public keys for those certificate authorities and thus could not verify that the SSL connection to Pandora was not being MITM attacked. There is probably a more legitimate place to download the "CA root certificates" list that that site but that's the first place I found it. if you have a more legitimate source please share! :)

disclaimer: I didn't spent too much time checking the exact terminology when writing this post so if I've used a wrong term i apologize but just wanted to let everyone know a little more about what was going on.

Special thanks to PromyLOPh for creating the emergency branch and continuing to develop and quickly respond to issues.

daphenix

Ah thanks for the info clarkewd. I swear I learn something new everyday. And I would also like to give thanks to PromyLOPh. Awesome Job!

rdj

Tweaked the head :tag in the pianobar formula to install through homebrew:

https://gist.github.com/1353258

patrickhenry14

Still getting the libpiano: Unknown error AUTH_WEB_LOGIN_NOT_ALLOWED in com.savagebeast.radio.api.protocol.xmlrpc.RadioXmlRpcException: 192.168.161.24|1320858149323|AUTH_WEB_LOGIN_NOT_ALLOWED
using the tls-emergency branch.

art kon

Awesome thanks @clarkewd @PromyLOPh, I have recently become addicted to pianobar and wasn't ready to give it up. :)

Bobby Powers

Just to be clear @daphenix and any other Fedora users, you shouldn't need to pull down a list of root CAs, in the pianobar config (~/.config/pianobar/config) simply set:

tls_ca_path = /etc/pki/tls/certs/ca-bundle.crt

as @lsuchocki mentioned.

clarkewd

@patrickhenry14 try launching using ./pianobar while in the directory where you compiled instead of pianobar. i think your running an old version because path is overriding the newly compiled one.

@bpowers - yes, unfortunately I don't think the bundle is included on OS X :)

Aaron Ott

anyone else get the error
waitress.c:(.text+0xfeb): undefined reference to `gnutls_certificate_set_verify_function'
collect2: ld returned 1 exit status
make: *** [pianobar] Error 1

when doing the make? I'm on Ubuntu 10.10.

I solved this for me by commenting out that line in the waitress.c file, and doing a make clean && make

https://gist.github.com/1353970

George "elb0w"  Tsafas

@rdj I manually compiled and was able to get this to work with the tls branch.

What would the command to install via brew be? I tried upgrade but it did not seem to work.

Max Thrun

TLS branch is confirmed working for me on Gentoo

PromyLOPh
Owner

Thanks everyone for testing. If you encounter any bugs in the tls-emergency branch open a new issue, please. I’ll merge the branch into master and package a new release this weekend.

PromyLOPh PromyLOPh closed this November 10, 2011
Chris Wolfe

Confirm on Fedora 15 - use yum install gnutls-devel, add the cert path to ~/.config/pianobar/config, remake.

TJ Hunter

On Ubuntu 10.04 using libgnutls-dev 2.8.6-1 I also had to comment out the gnutls_certificate_set_verify_function line in waitress.c to get it to compile, but it works now. Thanks!

Drew Liszewski
r4 commented November 10, 2011

tls-emergency branch works on arch linux

Sean

tls-emergency branch works for me on Ubuntu 11.11 without doing anything else besides installing libgnutls-dev. I had to put 'dev=hw:1' into my /etc/libao.conf to get output working on my 2nd sound card. I'm using ALSA. The root CA path for Ubuntu 11.11 is /etc/ssl/certs/ca-certificates.crt, but I didn't need to specify this anywhere.

Juan C. Müller

Actually, OSX users: the root certificates are bundled with the system, you just need to pull them out. Open Keychain Access, select "System Roots". I selected all the entries (cmd-a), then "File" > "Export Items...". Selected the .cer option, and saved the file. Pointed my pianobar config to that file, and, provided that I'm using the tls-emergency branch, and that I upgraded gnutls (using homebrew) to 2.12.12, pianobar works again!

Hope this helps, and avoids having to download the certificate file from that site...

Hunter Haugen hunner referenced this issue in nega0/pianobarfly November 12, 2011
Closed

AUTH_WEB_LOGIN_NOT_ALLOWED #10

Greg Lund-Chaix

Adding "tls_ca_path = /etc/ssl/certs/ca.crt" to my config on Ubuntu 12.04 resolved the "TLS handshake failed" issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.