On Sat, 24 Nov 2018, Cristian Ionescu-Idbohrn wrote:
> On Fri, 23 Nov 2018, Olof Johansson wrote:
> > On 18-11-19 18:37 +0100, Cristian Ionescu-Idbohrn wrote:
> > > This is what I see:
> > ...
> > > requests.exceptions.SSLError:
> > > HTTPSConnectionPool(host='streaming-loadbalancer.ur.se', port=443): Max
> > > retries exceeded with url: /loadbalancer.json (Caused by
> > > SSLError(SSLError("bad handshake: Error([('SSL routines',
> > > 'ssl_choose_client_version', 'unsupported protocol')],)",),))
> > >
> > > when trying to download:
> > >
> > > https://urplay.se/program/204949-roster-fran-australiens-aboriginer
> > >
> > > for example. Works fine when playing it in chromium, though.
> > >
> > > Downloading from svtplay.se works fine, though.
> >
> > Thanks for the report, I have been postponing upgrading to the
> > new 2.0+ version, but should get on that asap. Hopefully that
> > should solve it.
>
> Doesn't seem so :( I tested with master (2.1-14-g72143b7). Similar
> problem. Attaching a trace done with that version.
FWIW, `curl' is showing a similar error when attempting to download:
$ curl -v https://streaming-loadbalancer.ur.se/loadbalancer.json
* Trying 130.242.59.74...
* TCP_NODELAY set
* Connected to streaming-loadbalancer.ur.se (130.242.59.74) port 443
(#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported
protocol
* Closing connection 0
curl: (35) error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol
But `wget' manages to do it:
$ wget -O - --quiet
https://streaming-loadbalancer.ur.se/loadbalancer.json;echo
{"geoip_country_code":"SE","redirect":"streaming4.ur.se"}
`svtplay-dl` 1.9.1-0.1 on stretch manages to download:
$ svtplay-dl --verbose -P hls -g
https://urplay.se/program/204949-roster-fran-australiens-aboriginer
DEBUG [1543070399.9]
/usr/bin/svtplay-dl/svtplay_dl/utils/__init__.py/request: HTTP getting
'https://urplay.se/program/204949-roster-fran-australiens-aboriginer'
DEBUG [1543070400.01]
/usr/bin/svtplay-dl/svtplay_dl/utils/__init__.py/request: HTTP getting
u'https://streaming-loadbalancer.ur.se/loadbalancer.json'
DEBUG [1543070400.11]
/usr/bin/svtplay-dl/svtplay_dl/utils/__init__.py/request: HTTP getting
u'http://streaming4.ur.se/urplay/_definst_/mp4:se/204000-204999/204949-11.mp4/playlist.m3u8'
DEBUG [1543070400.3]
/usr/bin/svtplay-dl/svtplay_dl/utils/__init__.py/request: HTTP getting
u'http://streaming4.ur.se/urplay/_definst_/mp4:se/204000-204999/204949-5.mp4/playlist.m3u8'
DEBUG [1543070400.72]
/usr/bin/svtplay-dl/svtplay_dl/utils/__init__.py/protocol_prio: Protocol
priority scores (higher is better): {'dash': 5, 'hds': 3, 'hls': 4, 'http': 2,
'rtmp': 1}
https://streaming4.ur.se/urplay/_definst_/mp4:se/204000-204999/204949-5.mp4/chunklist_w64863179.m3u8
So, it seems the problem might very well be openssl both in buster and
sid, but I may be wrong.
On sid:
$ openssl s_client -connect streaming-loadbalancer.ur.se:443;echo $?
CONNECTED(00000003)
140235689968640:error:1425F102:SSL
routines:ssl_choose_client_version:unsupported
protocol:../ssl/statem/statem_lib.c:1940:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 86 bytes and written 327 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
fails. See Bug#912737 too. But it succedes if I force TLS down to
TLSv1:
$ openssl s_client -tls1 -connect streaming-loadbalancer.ur.se:443;echo
$?
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte
RSA CA 2018
verify return:1
depth=0 C = SE, L = Stockholm, O = Sveriges Utbildningsradio AB, OU =
IT, CN = *.ur.se
verify return:1
139650269000704:error:141A318A:SSL routines:tls_process_ske_dhe:dh key
too small:../ssl/statem/statem_clnt.c:2160:
---
Certificate chain
0 s:C = SE, L = Stockholm, O = Sveriges Utbildningsradio AB, OU = IT,
CN = *.ur.se
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA
CA 2018
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA
CA 2018
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQAgBPfqFIBpf6gDdH6NVNiDANBgkqhkiG9w0BAQsFADBc
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJUaGF3dGUgUlNBIENBIDIwMTgwHhcN
MTgwMjI4MDAwMDAwWhcNMTkwNDI4MTIwMDAwWjBnMQswCQYDVQQGEwJTRTESMBAG
A1UEBxMJU3RvY2tob2xtMSUwIwYDVQQKExxTdmVyaWdlcyBVdGJpbGRuaW5nc3Jh
ZGlvIEFCMQswCQYDVQQLEwJJVDEQMA4GA1UEAwwHKi51ci5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMHBRVtWYaHrK25w81mWJeYP8DDUxEpqozNM
P9WqapTdi5Tp7mADmuXWvCOqOWdDC839adAQxqg3xlWUHR9updk0XbXwQZcNhcdu
H3nArnrVZ1IERnRS47L68k8VtYHroM1KLGzNu0Zqr7MNWcTr6mR00Dw7wG6Qsu2i
kI3SpLUE5vCm98HZalhcOOROEaifyHxzOWFyD9MqV8nORLZkGjZ5KLmSbIwdosyu
5cbosNkVEwxA9cyJ4K68FPr94EEBv02ecWoTQq2TCCJOl6XcE5eXPkAV808p+K9Y
YOTeacuChNd0LhfNFueJt2hEvbh9JibuD1M1xzcyRM+C3n5iQQ0CAwEAAaOCAp0w
ggKZMB8GA1UdIwQYMBaAFKPIXmVU5TB4wQXqBwpqWcy5/t5aMB0GA1UdDgQWBBR4
SVIUfIv1I9Fnjfaqh2w2N7XB8jAZBgNVHREEEjAQggcqLnVyLnNlggV1ci5zZTAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDoG
A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jZHAudGhhd3RlLmNvbS9UaGF3dGVSU0FD
QTIwMTguY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMG8GCCsGAQUF
BwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDkG
CCsGAQUFBzAChi1odHRwOi8vY2FjZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVJTQUNB
MjAxOC5jcnQwCQYDVR0TBAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ALvZ
37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABYdxH+F8AAAQDAEgwRgIh
ALjZ7OkfJG6bCMU/KXXcUnRqWyCLZpbE4p+8pxF4cyG4AiEAr2mhI78UWWtetU/6
uJPvd1KDrD8ODfAgfihJx7Mai6UAdgCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
tOr/XqCDDwAAAWHcR/gcAAAEAwBHMEUCIEE+p70r9lR5uOetOFvM1vmM00RuDphj
i96dNO3bGUD9AiEAtH1jHs7GDW/G4J3AmOW3kCtaTs9EANa5F78uAvBJpskwDQYJ
KoZIhvcNAQELBQADggEBALFjFFh8Zu8ad2aXuK8Q/DRCEPhEHGNJFHrc58Zw2nMx
VrJBbJk52E9likWawPT6dFAxjYuF6VtOpPeKvSImZLan8UWXgvmhz5Z6AiX6ubK/
uXwdq35gED8EQzh4x67A5q7n52jl6Ih+ROlEQnOwQZcJN7mDZBw+Pw7V0OgDbuni
bvWhEgBXrJyQPi/g4+SGIiBDUCo6veeTtcHVp9ocQXch4pNAPv6RDtIyKbay6HZo
gmOcfMMbZYFniJFIgOTicWW/NbFWr2jBIZx8uBU16mDd9DcnSVI+cW5KD3JoDrvX
0Lgz8j8ze+F5ewgZ9iTHqVnwGeERgdVmmftNCBv8AbE=
-----END CERTIFICATE-----
subject=C = SE, L = Stockholm, O = Sveriges Utbildningsradio AB, OU =
IT, CN = *.ur.se
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA
CA 2018
---
No client certificate CA names sent
---
SSL handshake has read 3319 bytes and written 148 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
ED0E05936A53EE7364627579C86D06F8C5F47CE45388E01B5A4C06D18088C91C
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1543073630
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
So, it seems it's all down to if/how upstream wants to handle this.
Cheers,
--
Cristian
