josdion/subbuzz

SSL error

bmacao opened this issue · 13 comments

The pluggin is given SSL errors while searching subtitles on some providers (Podnapisi.NET), causing search to hang forever:

Search error: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
---> Interop+Crypto+OpenSslCryptographicException: error:0A000172:SSL routines::wrong signature type
--- End of inner exception stack trace ---
at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan1 input, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
--- End of inner exception stack trace ---
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
at System.Threading.Tasks.TaskCompletionSourceWithCancellation1.WaitWithCancellationAsync(CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken) at subbuzz.Helpers.Download.Get(String link, String referer, Dictionary2 post_params, CancellationToken cancellationToken, Int32 maxRetry)
at subbuzz.Helpers.Download.GetStream(String link, String referer, Dictionary`2 post_params, CancellationToken cancellationToken, Int32 maxRetry)
at subbuzz.Providers.PodnapisiNet.SearchUrl(String url, SearchInfo si, CancellationToken cancellationToken)

Opensubtitles.com has a timeout issue as well:

opensubtitles.com: Search error: System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 30 seconds elapsing.

@bmacao Can you give a little more information, like the OS version, version of emby or jellyfin, version of subbuzz?

Hi, should have given it right at the start, sorry bout that :)

Ubuntu 22.04
jellyfin 10.8.5
subbuzz 1.0.3.0

Can confirm Podnapisi.NET SSL error on:

  • Arch Linux (kernel 6.0.10), to be containerized soon
  • jellyfin 10.8.7
  • subbuzz 1.0.3.0

Currently running Jellyfin locally without SSL, but that shouldn't prevent accessing SSL services. Other providers function correctly.

Having Podnapisi.NET working would be really neat, as that's the provider with most Slovenian subtitles.

Seems like openssl can't verify the certificate from podnapisi.net
Can you run: curl -X GET https://www.podnapisi.net or openssl s_client -connect www.podnapisi.net:443 | grep error

$ curl -X GET https://www.podnapisi.net
curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

$ openssl s_client -connect www.podnapisi.net:443 | grep error
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = podnapisi.net
verify return:1
140087763469632:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../ssl/t1_lib.c:1145:

That happens on my server as well as on my local machine.

Same error for me as @jonpas posted

There is a workaround setting CipherString = DEFAULT@SECLEVEL=0 in /etc/ssl/openssl.cnf. I wouldn't recommend it, but can't find better solution for now.

In openssl.cnf see to which section is pointing openssl_conf and in that section add ssl_conf = ssl_sect. After that add the following two sections

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=0

Restart jellyfin.

Sorry, not working at my end, still SSL error

@bmacao Can you try again with curl and openssl to see, if there is an error.
Also, if there is an error, try openssl s_client -connect www.podnapisi.net:443 -cipher DEFAULT@SECLEVEL=0 | grep error

Can you post the value of openssl_conf section from openssl.cnf

I test this on archlinux, so it may be different on ubuntu.

20221208_104501

My openssl_conf is as you have posted

@bmacao I didn't posted my openssl_conf , but here it is.

 # Use this in order to automatically load providers.
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=0

Manage to get it working with additional config at openssl_conf:

( your settings still need to be applied )

...
[ssl_default_sect]
MinProtocol = TLSv1
CipherString = Default:@SECLEVEL=1 -> CipherString = Default:@SECLEVEL=0 ( change to 0 )