jellyfin-webos
jellyfin-webos copied to clipboard
jellyfin
Unable to Connect [webOS 3.0, 3.5, more?]
Issue During certification testing, devices running LG webOS 3.0 or 3.5 were unable to connect to the demo server.
Notes from Testing
When selecting the Connect UI Button after entering the received URL, the message ""Unknown error occurred. Are you connecting to a Jellyfin sever?"" is displayed.
Next Steps It is possible that this was an intermittent issue, but because of the failed result, LG stopped testing on webOS 3/3.5 devices at this point.
For internal (Jellyfin) testing:
- Install more webOS emulators and test connectivity with app to internal demo server.
- Check equipment list for team members with webOS 3/3.5 equipment and ask them to test against internal demo server.
For community help:
If you have a webOS 3/3.5 device, please let us know if you are able to test this. You can use the public demo server, https://demo.jellyfin.org/stable.
The username is demo, with no password. If you need a compiled IPK to install, please let me know.
Note that the public server is reset on the hour, every hour. It is recommended to avoid testing at that moment, as it will likely result in a connection error. This does not apply to our internal testing server.
I have multiple webOS devices and for me The Jellyfin app has been working on the devices that are running webOS 3.0 and 3.5. but I haven't updated the app in a while so I may be a bit behind the current release. I'll try to recompile it today and test it out.
Connecting to the public demo server from the app may not work just yet - there's a change I have to make to the reverse proxy config.
This change was already made for the internal demo server, so that won't be part of the issue affecting the client.
The error message originates from here https://github.com/jellyfin/jellyfin-webos/blob/25b774482b325c06ef2554c150ae3ea4c60214d3/org.jellyfin.webos/js/index.js#L320-L336
Looks like the isNaN check is inverted, so this would most likely have been caused by a 4xx or 5xx status code returned by the server.
A testing release is available here: https://github.com/jellyfin/jellyfin-webos/issues/50
In #50, a user mentions that they are also unable to connect to the public demo server when using the 3.0 emulator, but it works fine under 5.0 (which is mainly what I tested with). We have a variety of CSP and other headers in place, so I'll have to review these to see what's stopping it.
In #50, @agrisci has figured out the issue. It looks like we need to enable older protocols for SSL for the internal testing server.
https://github.com/jellyfin/jellyfin-webos/issues/50#issuecomment-821836996
As mentioned in #46, I also cannot connect to the public demo server from my WebOS 6.0.5 TV. Not sure if there's a debug log available for a physical TV I can inspect to see if it is a TLS issue as well,...
So there's been a bunch of work behind the scenes. We've made sure that the internal and public demo servers are using TLS 1.2, as that is supported across all webOS versions.
From some more cursory searching on the internet, it seems that the app interface doesn't like Let's Encrypt certificates for some reason, even though the regular browser is okay with it. Since we use LE for all our sites, this is presenting an issue for us.
We've currently made alternate arrangements to provide LG with an HTTP URL for testing, but obviously we'll still want to figure out how we can make this work for everyone.
From some more cursory searching on the internet, it seems that the app interface doesn't like Let's Encrypt certificates for some reason, even though the regular browser is okay with it. Since we use LE for all our sites, this is presenting an issue for us.
Have run into this specific issue before when using Emby's app with letsencrypt in the past. You're right to note that the tv browser works fine with letsencrypt, but there is a certificate problem that seems specific to apps on webos (this is on an LG C8 running what would've been late v4 or early v5 firmware at the time). I don't imagine it's fixable without cooperation from LG, but would be great if you could draw it to their attention. Maybe they'll do a firmware update!
I've dealt a lot with SSL/TLS related problems in the past. This specific one could simply be a TLS handshake mismatch.
Your demo server supports the following cipher suites for TLS 1.2:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
https://webostv.developer.lge.com/discover/specifications/web-engine/ states that WebOS 3.x uses a Chromium 38 engine which just might not be capable of using those ciphers.
I'd suggest adding something like this to the TLS 1.2 configuration on your demo server:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Are we sure that this is related at all to the Jellyfin client? I tried connecting to the demo server through the LG built-in web browser, and it didn't connect. Nothing happens. When I pointed it to http://demo.jellyfin.org/stable it was routed correctly to https://demo.jellyfin.org/stable - so it's not a routing issue of any kind. Seems to line up with @mono-of-pg 's findings.
There is a separate private server that we provide to companies like LG and Roku in order to test clients. We have selectively enabled HTTP without a redirect to HTTPS on that server.
Sorry, that was not the point I was trying to make. I was trying to say that LG televisions seem to have trouble connecting to the demo server via https in general, either through the Jellyfin client or through the built-in web browser. Supporting the observation by others that it is probably a Let's Encrypt and/or TLS version specific issue that can't be solved in the Jellyfin weOS client software, or even in the Jellyfin server software at all.
@WilcoVertegaal Ah yes, I agree. All good then :-)
We'll try @mono-of-pg's findings soon to be sure. If anything, it helps inform our documentation.
Assuming there's a reverse proxy in front of your demo server this could easily be changed in its configuration.
It even might work with an off-site proxy, so someone with an LG TV could simply set up a local reverse proxy pointing to the demo server without having to change anything on the server at all.
@mono-of-pg There is a reverse proxy, but the item is a bit lower on the list since we're forcing the HTTP option for passing certification at least. I'll pass this along to my fellow Core Team member who set that up.
I fully understand we're looking for a quick fix here and that there are more important things to spend time on. That's why I'm suggesting to test this because if it really turns out to be that way then it's no jellyfin issue at all.
@WilcoVertegaal can you do some tests with your LG TV if I provide a reverse proxy?
@mono-of-pg I have a personal Jellyfin server behind a reverse proxy myself, Apache, with a Let's Encrypt certificate. Not sure if I know how to reconfigure it properly though :-) If you could either give me some directions, or a correctly configured reverse proxy, I would be happy to test it.
Very nice @WilcoVertegaal. I assume the connection through your proxy fails right now.
- Test your ssl configuration with SSLLabs or testssl.sh if you want to run that from your computer.
- Look for "Cipher Suites" and save that for reference.
- Edit your Apache reverse proxy configuration to resemble this:
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
This should give you a rating of "A" on SSLLabs and still provide compatibility for older clients/browsers.
- Restart Apache and give it a try...
Erm .. As it turns out, connecting to my own server is not failing at all ... SSLLabs cipher suites gives me a whole sh*tload of suites available, then the handshake simulation succeeded for all clients except "Yahoo Slurp Jan 2015".
Then I did the same for https://demo.jellyfin.org - cipher suites are much more limited, handshakes fail for like 40% of the clients.
What I learn from this: it's not Let's Encrypt, but it might very well be a missing SSL cipher suite.
Would you agree @mono-of-pg ?
Yes, that's exactly what I was talking about...
Now try to point your proxy to the jellyfin demo server and let it terminate SSL for your TV.
LG-TV -> Proxy -> Jellyfin-Demo-Server
If that actually works it might be a good indication that this is where the problem really sits.
I can't seem to get it to work, it even fails when I open the website in my browser:
"Proxy Error The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server"
Log file says this:
[Tue May 11 22:27:42.124526 2021] [proxy:error] [pid 4153024:tid 140396758083328] (20014)Internal error (specific information not available): [client 80.112.104.16:55422] AH01084: pass request body failed to [2604:a880:cad:d0::cf3:f001]:443 (demo.jellyfin.org)
[Tue May 11 22:27:42.124623 2021] [proxy:error] [pid 4153024:tid 140396758083328] [client 80.112.104.16:55422] AH00898: Error during SSL Handshake with remote server returned by /
[Tue May 11 22:27:42.124639 2021] [proxy_http:error] [pid 4153024:tid 140396758083328] [client 80.112.104.16:55422] AH01097: pass request body failed to [2604:a880:cad:d0::cf3:f001]:443 (demo.jellyfin.org) from 80.112.104.16 ()
try this:
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
@WilcoVertegaal another option would be to simulate the demo servers behavior regarding the ciphers. I'll try to create a configuration tomorrow.
@mono-of-pg I think I'm a little out of my league here. The handshake is correct now, and the initial connection seems fine. But then the opening page forwards itself to ./web/index.html and somehow that ends up as the following URL:
https://jellyfin.wilcovertegaal.nl/stable/web/index.html
So https://jellyfin.wilcovertegaal.nl/ is mapped correctly to https://demo.jellyfin.org/stable/ but forwarding that to https://demo.jellyfin.org/stable/web/index.html ends up as https://jellyfin.wilcovertegaal.nl/stable/web/index.html in the browser address bar.
Tried to solve it with a RewriteRule, but no dice. Sorry.
@WilcoVertegaal post your config here. Might be an issue with ProxyPass and ProxyPassReverse like not ending with a /
@mono-of-pg this is my config:
<IfModule mod_ssl.c>
<VirtualHost *:443>
Protocols h2 http/1.1
ServerName jellyfin.wilcovertegaal.nl
DocumentRoot /var/www/html/jellyfin/public_html
# ProxyPreserveHost On
# ProxyPass "/socket" "ws://127.0.0.1:8096/socket"
# ProxyPassReverse "/socket" "ws://127.0.0.1:8096/socket"
# ProxyPass "/" "http://127.0.0.1:8096/"
# ProxyPassReverse "/" "http://127.0.0.1:8096/"
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass "/socket" "ws://demo.jellyfin.org/stable/socket"
ProxyPassReverse "/socket" "ws://demo.jellyfin.org/stable/socket"
ProxyPass "/" "https://demo.jellyfin.org/stable/"
ProxyPassReverse "/" "https://demo.jellyfin.org/stable/"
SSLCertificateFile /etc/letsencrypt/live/jellyfin.wilcovertegaal.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jellyfin.wilcovertegaal.nl/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Try this @WilcoVertegaal:
ProxyPass /stable/socket ws://demo.jellyfin.org/stable/socket
ProxyPassReverse /stable/socket ws://demo.jellyfin.org/stable/socket
ProxyPassReverse / https://demo.jellyfin.org/
ProxyPass / https://demo.jellyfin.org/
ProxyPassReverse / https://demo.jellyfin.org/
You cannot reach 8096 on the demo server and also it's redirecting to /stable so you have to adapt.
@mono-of-pg nailed it 🥇
With this configuration, my LG TV connects to the demo server and plays content without any problem. Connecting directly to https://demo.jellyfin.org/stable/ says something like "website not found".
@mono-of-pg nailed it 🥇
With this configuration, my LG TV connects to the demo server and plays content without any problem. Connecting directly to https://demo.jellyfin.org/stable/ says something like "website not found".
That's awesome 👍
Now @WilcoVertegaal try this in your config:
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP:!AESCCM
It should make your proxy look more like the demo server and offer only the ciphers mentioned above.
If that fails we can be pretty sure we found the root cause of this issue.