spotifyd icon indicating copy to clipboard operation
spotifyd copied to clipboard

Published 20 hours ago verified publisher icon Spotifyd

Sending fatal alert BadCertificate (Not getting metadata due to TLS inspection)

Open midekra opened this issue 1 year ago • 3 comments

Description Not getting the metadata from spotifyd. It seems the OS certificates (with a custom CA certificate for internal TLS inspection) isn't being read. Nor can I find how to disable SSL verification with spotifyd to ignore this error.

To Reproduce Using spotifyd in an network environment where TLS inspection is being used.

Expected behavior Getting metadata from spotifyd

Logs Couldn't fetch metadata from spotify: Http(Transport(Transport { kind: ConnectionFailed, message: Some("tls connection init failed"), url: Some(Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("api.spotify.com")), port: None, path: "/v1/me/player/currently-playing", query: None, fragment: None }), source: Some(Custom { kind: InvalidData, error: InvalidCertificateData("invalid peer certificate: UnknownIssuer") }) })) Sending fatal alert BadCertificate Sending fatal alert BadCertificate

Compilation flags

  • [x] dbus_mpris
  • [ ] dbus_keyring
  • [ ] alsa_backend
  • [ ] portaudio_backend
  • [x] pulseaudio_backend
  • [ ] rodio_backend

Versions (please complete the following information):

  • OS: Pop!_OS 22.04 LTS
  • Spotifyd: 0.3.4
  • cargo: 1.63.0

midekra avatar Mar 08 '23 12:03 midekra

Hi and thank you for the report!

The reason, we ignore the OS certificate store here is the following: For our Web API requests we're using rspotify with the client-ureq feature enabled. Unfortunately, the only TLS backend available there right now is ureq-rustls-tls, which makes the HTTP client use bundled certificates from webpki and not the OS store.

I think, there are two possible solutions to this:

  • Migrate the dbus code to async, so that we can use client-reqwest and reqwest-native-tls or something similar. (I once started an effort to do this, but this requires a bit more refactoring.)
  • Add an alternative TLS backend to rspotify that uses native-tls for ureq.

I'll have a look at the second option and see, how feasible that is.

eladyn avatar Mar 08 '23 19:03 eladyn

@midekra I created a PR to rspotify that enables the native-certs feature, if wanted. (https://github.com/ramsayleung/rspotify/pull/393) Once this is merged and released, we can update our Cargo.toml to use that.

eladyn avatar Mar 09 '23 15:03 eladyn

Awesome! Thank you!

midekra avatar Mar 09 '23 18:03 midekra