We have moved to a new Sailfish OS Forum. Please start new discussions there.
0

Audio streaming over https/TLS fails (TLS certificate verification issue with GnuTLS) [answered]

asked 2020-06-02 11:38:13 +0200

Bellini gravatar image

updated 2020-06-03 18:40:57 +0200

Maus gravatar image

I usually use the Sailwave app to listen to radio streams. Since a few days you can only hear http streams, no https streams anymore. This error message appears >>The network is unreachable. Secure connection setup failed<<

Examples: https://st01.sslstream.dlf.de/dlf/01/128/mp3/stream.mp3 https://wdr-wdr3-live.icecastssl.wdr.de/wdr/wdr3/live/mp3/128/stream.mp3

The streams are playable in the SFOS Browser and on other hardware. On SFOS Rokua 3.3.0.16 and on XA2 nothing was changed in the time.

Greeting

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by olf
close date 2020-06-03 22:14:19.531417

Comments

Sailwave is a 3rd party app, contact the author of the application directly first.

Spam Hunter ( 2020-06-02 12:06:05 +0200 )edit

I've already done that, although I thought if the app was offered in the Jolla Store, Jolla would be a little responsible.

It doesn't seem to be the problem of the app, other radio/stream apps from the Jolla Store had the same problem.

But let's wait and see

Bellini ( 2020-06-02 13:50:08 +0200 )edit

@olf I generally support your habit of keeping TJC in order but closing this question with an answer was accepted without any accepted answer is ... possibly premature.

Maus ( 2020-06-04 19:24:18 +0200 )edit

Well, as @Bellinianswered his own question, concluding with "The problem has solved itself...", I indeed think that "this question was answered, and the answer accepted", literally.

If you think it should stay open, because the technical background of this issue is not fully understood yet, feel free to reopen it. But that was not the question of the OP (which he answered himself). Hence it might be more appropriate to pose a new question with a broader scope and a test case, which still works (i.e., is still failing).
IMHO this would need a bit more analysis, if a component of SailfishOS fails or the actual app, and if they correctly fail (because of outdated certificates) or because of fetching and parsing an outdated intermediate certificate even though a newer, valid one is offered (this is the current issue, you pointed to). Without this information, the sailors will likely shrug their shoulders, mumbling "some issue with some third party app, so what?". ;)

olf ( 2020-06-05 02:16:18 +0200 )edit

3 Answers

Sort by » oldest newest most voted
3

answered 2020-06-02 19:55:11 +0200

Maus gravatar image

updated 2020-06-03 18:12:04 +0200

This is most probably caused by the expiry of a certificate in the certificate chain of the stream provider's server, namely the AddTrust certificate. You can check it yourself by using for example this tool. The root cause is of course much aggravated by the antique software stack of Mer and the inability of GnuTLS to use a different validation path in these cases.

The server you mentioned above seems to send a different chain of trust by now but e.g. www.redmine.org still fails and won't work with components linked against GnuTLS like the native Mail app.

edit flag offensive delete publish link more

Comments

Even more annoying is what our Mail app does when the remote IMAP server has that expired CA certificate in its chain of trust:

  • If the chain of trust contains the expired certificate, it just stops syncing without any notice!
  • If the admin repairs the chain of trust, Mail stops syncing complaining about a certificate problem

This is ... disappointing, to say the least.

Maus ( 2020-06-03 22:50:50 +0200 )edit
0

answered 2020-06-02 18:44:26 +0200

lpr gravatar image

updated 2020-06-02 18:52:36 +0200

had the same problem over the last days, now wdr5 https mp3 stream is working again... has something to do with outdated TLS certificates of the content provider.

Try gst-launch-1.0 [your-stream-url] and check the error message...

edit flag offensive delete publish link more
0

answered 2020-06-02 21:51:23 +0200

Bellini gravatar image

Thanks to all

I had found this page Abgelaufenes Root-Zertifikat entfacht Ärger this morning and had also already judged it to be an evildoer.

But now after a new test all WDR and Deutschlandfunk connections are running again.

Problem has solved itself...

edit flag offensive delete publish link more

Question tools

Follow
2 followers

Stats

Asked: 2020-06-02 11:38:13 +0200

Seen: 385 times

Last updated: Jun 03 '20