-
-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to Connect [webOS 3.0, 3.5, more?] #43
Comments
I have multiple webOS devices and for me The Jellyfin app has been working on the devices that are running webOS 3.0 and 3.5. but I haven't updated the app in a while so I may be a bit behind the current release. I'll try to recompile it today and test it out. |
Connecting to the public demo server from the app may not work just yet - there's a change I have to make to the reverse proxy config. This change was already made for the internal demo server, so that won't be part of the issue affecting the client. |
The error message originates from here jellyfin-webos/org.jellyfin.webos/js/index.js Lines 320 to 336 in 25b7744
Looks like the isNaN check is inverted, so this would most likely have been caused by a 4xx or 5xx status code returned by the server.
|
A testing release is available here: #50 |
In #50, a user mentions that they are also unable to connect to the public demo server when using the 3.0 emulator, but it works fine under 5.0 (which is mainly what I tested with). We have a variety of CSP and other headers in place, so I'll have to review these to see what's stopping it. |
As mentioned in #46, I also cannot connect to the public demo server from my WebOS 6.0.5 TV. Not sure if there's a debug log available for a physical TV I can inspect to see if it is a TLS issue as well,... |
So there's been a bunch of work behind the scenes. We've made sure that the internal and public demo servers are using TLS 1.2, as that is supported across all webOS versions. From some more cursory searching on the internet, it seems that the app interface doesn't like Let's Encrypt certificates for some reason, even though the regular browser is okay with it. Since we use LE for all our sites, this is presenting an issue for us. We've currently made alternate arrangements to provide LG with an HTTP URL for testing, but obviously we'll still want to figure out how we can make this work for everyone. |
Have run into this specific issue before when using Emby's app with letsencrypt in the past. You're right to note that the tv browser works fine with letsencrypt, but there is a certificate problem that seems specific to apps on webos (this is on an LG C8 running what would've been late v4 or early v5 firmware at the time). I don't imagine it's fixable without cooperation from LG, but would be great if you could draw it to their attention. Maybe they'll do a firmware update! |
I've dealt a lot with SSL/TLS related problems in the past. Your demo server supports the following cipher suites for TLS 1.2:
https://webostv.developer.lge.com/discover/specifications/web-engine/ states that WebOS 3.x uses a Chromium 38 engine which just might not be capable of using those ciphers. I'd suggest adding something like this to the TLS 1.2 configuration on your demo server:
|
Are we sure that this is related at all to the Jellyfin client? I tried connecting to the demo server through the LG built-in web browser, and it didn't connect. Nothing happens. When I pointed it to http://demo.jellyfin.org/stable it was routed correctly to https://demo.jellyfin.org/stable - so it's not a routing issue of any kind. Seems to line up with @mono-of-pg 's findings. |
There is a separate private server that we provide to companies like LG and Roku in order to test clients. We have selectively enabled HTTP without a redirect to HTTPS on that server. |
Sorry, that was not the point I was trying to make. I was trying to say that LG televisions seem to have trouble connecting to the demo server via https in general, either through the Jellyfin client or through the built-in web browser. Supporting the observation by others that it is probably a Let's Encrypt and/or TLS version specific issue that can't be solved in the Jellyfin weOS client software, or even in the Jellyfin server software at all. |
@WilcoVertegaal Ah yes, I agree. All good then :-) We'll try @mono-of-pg's findings soon to be sure. If anything, it helps inform our documentation. |
Assuming there's a reverse proxy in front of your demo server this could easily be changed in its configuration. It even might work with an off-site proxy, so someone with an LG TV could simply set up a local reverse proxy pointing to the demo server without having to change anything on the server at all. |
@mono-of-pg There is a reverse proxy, but the item is a bit lower on the list since we're forcing the HTTP option for passing certification at least. I'll pass this along to my fellow Core Team member who set that up. |
I fully understand we're looking for a quick fix here and that there are more important things to spend time on. @WilcoVertegaal can you do some tests with your LG TV if I provide a reverse proxy? |
@mono-of-pg I have a personal Jellyfin server behind a reverse proxy myself, Apache, with a Let's Encrypt certificate. Not sure if I know how to reconfigure it properly though :-) If you could either give me some directions, or a correctly configured reverse proxy, I would be happy to test it. |
Very nice @WilcoVertegaal.
This should give you a rating of "A" on SSLLabs and still provide compatibility for older clients/browsers.
|
Erm .. As it turns out, connecting to my own server is not failing at all ... SSLLabs cipher suites gives me a whole sh*tload of suites available, then the handshake simulation succeeded for all clients except "Yahoo Slurp Jan 2015". Then I did the same for https://demo.jellyfin.org - cipher suites are much more limited, handshakes fail for like 40% of the clients. What I learn from this: it's not Let's Encrypt, but it might very well be a missing SSL cipher suite. Would you agree @mono-of-pg ? |
Yes, that's exactly what I was talking about... Now try to point your proxy to the jellyfin demo server and let it terminate SSL for your TV. If that actually works it might be a good indication that this is where the problem really sits. |
@mono-of-pg nailed it 🥇 With this configuration, my LG TV connects to the demo server and plays content without any problem. Connecting directly to https://demo.jellyfin.org/stable/ says something like "website not found". |
That's awesome 👍 Now @WilcoVertegaal try this in your config:
It should make your proxy look more like the demo server and offer only the ciphers mentioned above. If that fails we can be pretty sure we found the root cause of this issue. |
That's great - I now have A+ score on SSLLabs :-S Cipher suites as reported by SSLLabs:
All handshake simulations passed. Also the demo server still connects via LG TV. |
While an A+ rating looks nice it's not what we're looking for in this case :-D Your mod_ssl version seems to be a little different from mine so we need to fiddle a bit with the settings to just allow the same ciphers as the demo server does. |
I'm on Ubuntu 20.04 with Apache 2.4.41, mod_ssl the same version info and OpenSSL 1.1.1f. |
Apache 2.4.37 and OpenSSL 1.1.1g here.
edit: OpenSSL 1.1.1f on Ubuntu 20.04.2 LTS gives me the same result - just checked |
Correct, mine is the same. |
So why does your mod_ssl do something different here? Try with:
Is this a VirtualHost or your serverwide ssl config? |
Anyway, @anthonylavado as you can read above this issue very likely seems to be connected with the ciphers (not) offered by your reverse proxy. |
Yes.
Still no dice. Sorry @mono-of-pg - I have zero expertise in this area whatsoever.
No problem, very happy to be able to contribute! (Next on the list: a VIDAA/Hisense client ... ) |
The root certificate "DST Root CA X3", which was used for cross-signing the Let's Encrypt R3 CA, expires on September 30 this year: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ Is this going to be a potential issue with older versions of webOS? I don't know LG's testing requirements, but maybe they dictate that the app must work on a device which has received zero updates (including the CA bundle) in X years? It would be a shame to see a certification attempt go to waste because they happen to test on some ancient device after that date and see a trust issue... There's also Buypass, a Norwegian CA whose root certificate has been trusted by major browsers since 2010. They fully support the ACME protocol and can be used with clients such as Certbot: https://www.buypass.com/ssl/products/acme |
While this might be an issue after september I think it's pretty obvious that the findings of me and @WilcoVertegaal are the root cause of the problem. |
As I mentioned before, while I appreciate all of the testing, this in particular isn't the highest for the release issues because we're just using a workaround for the time being. Basically, for all of our vendor accounts (including Google Play, Apple App Store, etc) we have a private demo server that we provide for them to test with. It's got mostly similar content to the public demo server (just a few items removed for rating reasons). On this private server, we've given the LG Testing IP range access to connect without HTTPS, solely for testing purposes. We will eventually want to apply these cipher option fixes here and on the publicly accessible server. We'll also use this info to make sure our Reverse Proxy guides have a notice and are up to date once the app releases, so that public users know what to expect. I'll keep this issue open for tracking purposes, but I would deem it no longer "release critical". |
The exact error reported is ares-device-info
Console output
|
Thanks for your update @anthonylavado. |
Guys, the 30th of september is here ! |
Use http over LAN? |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Some investigation about #43 (comment) jellyfin-webos/frontend/js/ajax.js Line 77 in 0e3c02b
So, that isNaN bug protects us from getting true as a string.We probably need to fix/update/replace AJAX first. |
Issue
During certification testing, devices running LG webOS 3.0 or 3.5 were unable to connect to the demo server.
Notes from Testing
Next Steps
It is possible that this was an intermittent issue, but because of the failed result, LG stopped testing on webOS 3/3.5 devices at this point.
For internal (Jellyfin) testing:
For community help:
If you have a webOS 3/3.5 device, please let us know if you are able to test this. You can use the public demo server, https://demo.jellyfin.org/stable.
The username is
demo
, with no password. If you need a compiled IPK to install, please let me know.Note that the public server is reset on the hour, every hour. It is recommended to avoid testing at that moment, as it will likely result in a connection error. This does not apply to our internal testing server.
The text was updated successfully, but these errors were encountered: