Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL error #2

Open
bmacao opened this issue Sep 27, 2022 · 13 comments
Open

SSL error #2

bmacao opened this issue Sep 27, 2022 · 13 comments

Comments

@bmacao
Copy link

bmacao commented Sep 27, 2022

The pluggin is given SSL errors while searching subtitles on some providers (Podnapisi.NET), causing search to hang forever:

Search error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
---> Interop+Crypto+OpenSslCryptographicException: error:0A000172:SSL routines::wrong signature type
--- End of inner exception stack trace ---
at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan1 input, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
--- End of inner exception stack trace ---
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
at System.Threading.Tasks.TaskCompletionSourceWithCancellation1.WaitWithCancellationAsync(CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken) at subbuzz.Helpers.Download.Get(String link, String referer, Dictionary2 post_params, CancellationToken cancellationToken, Int32 maxRetry)
at subbuzz.Helpers.Download.GetStream(String link, String referer, Dictionary`2 post_params, CancellationToken cancellationToken, Int32 maxRetry)
at subbuzz.Providers.PodnapisiNet.SearchUrl(String url, SearchInfo si, CancellationToken cancellationToken)
@bmacao
Copy link
Author

bmacao commented Sep 28, 2022

Opensubtitles.com has a timeout issue as well:

opensubtitles.com: Search error: System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 30 seconds elapsing.

@josdion
Copy link
Owner

josdion commented Sep 30, 2022

@bmacao Can you give a little more information, like the OS version, version of emby or jellyfin, version of subbuzz?

@bmacao
Copy link
Author

bmacao commented Sep 30, 2022

Hi, should have given it right at the start, sorry bout that :)

Ubuntu 22.04
jellyfin 10.8.5
subbuzz 1.0.3.0

@jonpas
Copy link

jonpas commented Dec 4, 2022

Can confirm Podnapisi.NET SSL error on:

  • Arch Linux (kernel 6.0.10), to be containerized soon
  • jellyfin 10.8.7
  • subbuzz 1.0.3.0

Currently running Jellyfin locally without SSL, but that shouldn't prevent accessing SSL services. Other providers function correctly.

Having Podnapisi.NET working would be really neat, as that's the provider with most Slovenian subtitles.

@josdion
Copy link
Owner

josdion commented Dec 7, 2022

Seems like openssl can't verify the certificate from podnapisi.net
Can you run: curl -X GET https://www.podnapisi.net or openssl s_client -connect www.podnapisi.net:443 | grep error

@jonpas
Copy link

jonpas commented Dec 7, 2022 

$ curl -X GET https://www.podnapisi.net
curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

$ openssl s_client -connect www.podnapisi.net:443 | grep error
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = podnapisi.net
verify return:1
140087763469632:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../ssl/t1_lib.c:1145:

That happens on my server as well as on my local machine.

@bmacao
Copy link
Author

bmacao commented Dec 7, 2022

Same error for me as @jonpas posted

@josdion
Copy link
Owner

josdion commented Dec 8, 2022

There is a workaround setting CipherString = DEFAULT@SECLEVEL=0 in /etc/ssl/openssl.cnf. I wouldn't recommend it, but can't find better solution for now.

In openssl.cnf see to which section is pointing openssl_conf and in that section add ssl_conf = ssl_sect. After that add the following two sections

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=0

Restart jellyfin.

@bmacao
Copy link
Author

bmacao commented Dec 8, 2022

Sorry, not working at my end, still SSL error

@josdion
Copy link
Owner

josdion commented Dec 8, 2022
edited
Loading

@bmacao Can you try again with curl and openssl to see, if there is an error.
Also, if there is an error, try openssl s_client -connect www.podnapisi.net:443 -cipher DEFAULT@SECLEVEL=0 | grep error

Can you post the value of openssl_conf section from openssl.cnf

I test this on archlinux, so it may be different on ubuntu.

@bmacao
Copy link
Author

bmacao commented Dec 8, 2022

20221208_104501

My openssl_conf is as you have posted

@josdion
Copy link
Owner

josdion commented Dec 8, 2022

@bmacao I didn't posted my openssl_conf , but here it is.

 # Use this in order to automatically load providers.
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=0

@bmacao
Copy link
Author

bmacao commented Dec 8, 2022

Manage to get it working with additional config at openssl_conf:

( your settings still need to be applied )

...
[ssl_default_sect]
MinProtocol = TLSv1
CipherString = Default:@SECLEVEL=1 -> CipherString = Default:@SECLEVEL=0 ( change to 0 )

@jonpas jonpas mentioned this issue Dec 10, 2022
Closed
3 tasks
@josdion josdion mentioned this issue Mar 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bmacao @jonpas @josdion