985 replies to this topic

[mx3L]

Indeed openssl is enabled, I'm looking at ffmpeg sources and I can see that they're forcing TLS 1.0.

Can you try this?

openssl s_client -tls1 -connect tvesyfy-vh.akamaihd.net:443

[ian1095]

root@vusolo2:~# openssl s_client -tls1 -connect tvesyfy-vh.akamaihd.net:443
CONNECTED(00000003)
2008360088:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3
_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1475396227
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
root@vusolo2:~#

 

[mx3L]

And this? If the output is the same as above no need to post it.

openssl s_client -tls1 -connect tvesyfy-vh.akamaihd.net:443 -servername tvesyfy-vh.akamaihd.net

[ian1095]

Quite different.

 

vusolo2 login: root
root@vusolo2:~# openssl s_client -tls1 -connect tvesyfy-vh.akamaihd.net:443 -ser
vername tvesyfy-vh.akamaihd.net
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
   i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon A
kamai SureServer CA G14-SHA1
 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon A
kamai SureServer CA G14-SHA1
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
 Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFvDCCBKSgAwIBAgIUQTL7SUBLnXtECDKfHlDrTVYNvGkwDQYJKoZIhvcNAQEF
BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT
HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1
c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI
QTEwHhcNMTUxMjA4MTA1NTQ3WhcNMTYxMTA4MTA1NTQ0WjBtMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNhbWJyaWRnZTEhMB8GA1UEChMYQWth
bWFpIFRlY2hub2xvZ2llcyBJbmMuMRowGAYDVQQDExFhMjQ4LmUuYWthbWFpLm5l
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1ALpghaCfdv98u7MzZ
6wz8TMBh4pS5cl7MnFzqCNcP/OFCW4NDp83l8swiQra7b6hLGTJt0ROonXXIf2VS
RaiNfANMybgr7guyIL3cczv57JwEiSapdrZAcpsZc+VkKErsKv0rWNJRUrkCFVt8
D8KDD5NsfJSnQ8oUYM7namdWA0VJtKsW6pdYFCvxpkHoVF/fsHuH5+0rQ0+dhNSa
LZIuH+ggAO3rMZxUeMLfM2nidaZFjU0f4KHSc1BMXDxbkJZApM1h69qa3FmK1NOo
R4hAHPZAux3dI0FK+Xhj0tn6EtemYfMzzpCBMNFJof9L4MND+8IVfpvNO1bsNQA4
9nMCAwEAAaOCAjEwggItMAwGA1UdEwEB/wQCMAAwTAYDVR0gBEUwQzBBBgkrBgEE
AbE+ATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly9zZWN1cmUub21uaXJvb3QuY29t
L3JlcG9zaXRvcnkwga8GCCsGAQUFBwEBBIGiMIGfMC0GCCsGAQUFBzABhiFodHRw
Oi8vdmFzc2cxNDEub2NzcC5vbW5pcm9vdC5jb20wNgYIKwYBBQUHMAKGKmh0dHBz
Oi8vY2FjZXJ0LmEub21uaXJvb3QuY29tL3Zhc3NnMTQxLmNydDA2BggrBgEFBQcw
AoYqaHR0cHM6Ly9jYWNlcnQuYS5vbW5pcm9vdC5jb20vdmFzc2cxNDEuZGVyMG4G
A1UdEQRnMGWCEWEyNDguZS5ha2FtYWkubmV0gg4qLmFrYW1haWhkLm5ldIIWKi5h
a2FtYWloZC1zdGFnaW5nLm5ldIIPKi5ha2FtYWl6ZWQubmV0ghcqLmFrYW1haXpl
ZC1zdGFnaW5nLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFN1sgHy6tTIXpYRBQPDSBGYTL6mQMD4G
A1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92YXNzZzE0MS5jcmwub21uaXJvb3QuY29t
L3Zhc3NnMTQxLmNybDAdBgNVHQ4EFgQUDzGq0d/9Yyv03Tcdk5bYNGbS8JYwDQYJ
KoZIhvcNAQEFBQADggEBACNvA8YImMnTESlmpbLZxUNyk1wOXRx0/G7SMALTzrU/
6Nmo1gVIHvbpyMf9xcrEXxiG2wWTTRkVKPLB7IvWaUK+89gH8v0WokyTtvX8kDkY
muBI8u6esOKMpTr3MDRTJOjZ9lqjwOujrH8cUT6UHDwkFDDAcOEQS684u2azVWA5
hYniL9pmmSHt3Ji2lgCaYnZiwKa/g0KdNc5ezPgFB3oXLrQ7GG4zNG2lkuzQsO/l
isI0VmXwTqY6BscnMo3rUtTTJnHbJMOibhWtbfzrn8M0RajGBkULHl7U+Ud96Rig
jktY+1lsz1WoB/26st9KCGXo0gxpW6bw9rmZFyurb3M=
-----END CERTIFICATE-----
subject=/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon
 Akamai SureServer CA G14-SHA1
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4513 bytes and written 365 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 53BD734F9A84E81A76605A5C3254AFC147C3965CFEBD343F5B442B8E24C6905D
    Session-ID-ctx:
    Master-Key: C687ACF7C097CDA4D154E06B8D36B030569FBE93040D2B6FC10FB0C3D5355284
1709EEBCB97E17E464E0912993F9B657
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 18 c9 31 70 34 61 21 eb-52 0c 6d 71 80 4b 1d 24   ..1p4a!.R.mq.K.$
    0010 - 5f c9 15 7a e7 e5 4a 7e-0f ff e4 4c 97 50 5f 7c   _..z..J~...L.P_|
    0020 - 91 ef e5 b2 6b 4d 5e ce-b1 39 41 52 8d 81 58 ea   ....kM^..9AR..X.
    0030 - 59 f5 04 00 9c a7 f1 24-25 86 08 c4 17 5f 9b 38   Y......$%...._.8
    0040 - 56 d8 31 29 6e bd a9 1a-02 7b e5 04 ad 9b f7 9c   V.1)n....{......
    0050 - 89 61 5a 42 89 ba bf 25-07 24 f1 b0 3d d7 bd e8   .aZB...%.$..=...
    0060 - 82 91 f4 f3 cc 7e 25 49-68 39 f9 48 64 b8 b3 5e   .....~%Ih9.Hd..^
    0070 - ca 7d db 78 6d d4 53 5a-d9 b8 21 ae d7 62 ec 2a   .}.xm.SZ..!..b.*
    0080 - ee 2b 83 56 12 ba b3 f4-8f 9b 09 bc 01 76 6c 7e   .+.V.........vl~
    0090 - 30 b9 f9 73 2a 01 5a fc-00 3e e4 05 f5 e1 36 f7   0..s*.Z..>....6.
    00a0 - 2a 51 1b 43 59 bd 85 d7-3f 02 d6 24 ab e8 80 1c   *Q.CY...?..$....

    Start Time: 1475397151
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed
root@vusolo2:~#

[mx3L]

Alright, I know how to fix the problem, will update serviceapp source soon.

 

This was the missing part:

 

SSL_set_tlsext_host_name uses the TLS SNI extension to set the hostname. If you are connecting to a Server Name Indication-aware server (such as Apache with name-based virtual hosts or IIS 8.0), then you will receive the proper certificate during the handshake.

[ian1095]

Awesome !

 

And quite amazing too.

 

Great Stuff

 

Ian.

[MastaG]

Thank you ian1095 and mx3L!

[WanWizard]

Just to add:

 

There is a no real SSL support in OpenPLi 4, and trusted CA certificates are not installed by default (they are in a separate package called "ca-certificates"). But even if you install that, it won't work properly since the version of OpenEmbedded used is broken at this point. For this reason SSL certificate validation is disabled in Python, so SSL websites can be accessed.

 

This has been adressed and recified in OpenPLi 5:

root@et10000:~# openssl s_client -tls1 -connect tvesyfy-vh.akamaihd.net:443 -servername tvesyfy-vh.akamaihd.net
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = NL, L = Amsterdam, O = Verizon Enterprise Solutions, OU = Cybertrust, CN = Verizon Akamai SureServer CA G14-SHA1
verify return:1
depth=0 C = US, ST = MA, L = Cambridge, O = Akamai Technologies Inc., CN = a248.e.akamai.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
   i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1
 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4513 bytes and written 365 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: E23ED056B1D4A1D146EF9DEF90FEA7908F6E45F2A8B3CC0381914BCA13E0EF6D
    Session-ID-ctx:
    Master-Key: 6E26C6D931C996FED541D1BFCBDA8874156318DA98510DBF7E832FD09969F6CC34A17A44DA919DD87F878882EE9A0F67
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 18 c9 31 70 34 61 21 eb-52 0c 6d 71 80 4b 1d 24   ..1p4a!.R.mq.K.$
    0010 - 27 ef fd 54 80 eb 55 32-c4 be ad a8 29 f1 7a 9c   '..T..U2....).z.
    0020 - 85 48 de 78 1f 7a 33 94-b0 3f 04 94 6e 6e ac 13   .H.x.z3..?..nn..
    0030 - a3 f2 63 16 7b 4d e6 d7-29 9d 8e 29 a6 13 b4 49   ..c.{M..)..)...I
    0040 - fe 9a b3 1b a3 d7 71 67-f3 31 78 0f 7f 7c 1f d6   ......qg.1x..|..
    0050 - 0a 3c b6 12 36 ae d3 6e-8f b5 8a 47 a0 cc ab d8   .<..6..n...G....
    0060 - 79 79 8f db 87 77 06 63-2c 3f 29 50 ad 2b 24 b8   yy...w.c,?)P.+$.
    0070 - 9b bb e3 2b 6a b2 6f 41-26 44 24 73 34 e4 75 29   ...+j.oA&D$s4.u)
    0080 - 99 73 51 3c 35 a9 56 e5-47 72 3b e7 ae e0 e1 7a   .sQ<5.V.Gr;....z
    0090 - 73 b4 77 67 0d 44 63 27-d2 29 b3 5b 04 28 2c 01   s.wg.Dc'.).[.(,.
    00a0 - 61 8e 85 85 fa 5a e6 90-5d 8b 27 b0 a6 0b 53 1c   a....Z..].'...S.

    Start Time: 1475404170
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

[MastaG]

Well I did 'break' openembedded in my PLi4 builds, manually upgrading OpenSSL to 1.0.x and patching Python 2.7.3 for supporting it (disabling sslv2/v3).
Also I have upgraded ca-certificates as well and it's also installed by default now.

[fairbird]

@MastaG

My friend ..Can share your update please ?!

[MastaG]

Yes of course.
But you'll have to wait a bit.
I'm currently working on master-next.

I have to clean-up my old sources first before I can share it, so thats not in top of my list.

[jhonc]

hi

i have an issue  in latest image of mastag  with exteplayer playing somme streams :

1.http://origin-rtl-radio-stream.4mecloud.it/live-video/radiovisione/ngrp:radiovisione/playlist.m3u8 this stream is working good with gstplayer but with exteplayer3  the image has big macroblocks.

2.rtmp://46.249.95.140/live/livestream  ​this stream works in vlc player but not with exteplayer , 

also there are a few  rtmp stream that thosent work with exteplayer3 like this one rtmp://5.154.185.153/live/live  but in gstplayer are working.

​mx3L can you check and see if is somthing to do with this issue?

​thanks for great work.

Edited by jhonc, 2 October 2016 - 19:38.

[mx3L]

@ian1095 fix is in there

 

@jhonc

1. stream works normally with latest serviceapp

2. stream is not working in vlc, exteplayer3 or gstplayer

3. works with latest exteplayer3

[jhonc]

Thanks mx3L,

the second stream rtmp://46.249.95.140/live/livestream  works fine in latest version of vlc (2.2.4) for me, ex https://i.imgsafe.org/16562d73f2.jpg

we are waiting now for  MastaG suport.

thanks

[fairbird]

@MastaG

Oh...Great 

Then I will wait your's files to master-next.

 

Thank you

[samsamsam]

@jhonc

 

This link is working with exteplayer3 for me without any problems:

root@opticumtt:~# exteplayer3 rtmp://46.249.95.140/live/livestream

{"EPLAYER3_EXTENDED":{"version":29}}

file: [rtmp://46.249.95.140/live/livestream]

{"PLAYBACK_OPEN":{"OutputName":"Output", "file":"rtmp://46.249.95.140/live/livestream", "sts":0}}

{"OUTPUT_OPEN":{"sts":0}}

{"PLAYBACK_PLAY":{"sts":0}}

{"v_c":{"id":0,"e":"V_MPEG4/ISO/AVC","n":"und","w":720,"h":576,"f":25000,"p":-1,"an":0,"ad":1}}

{"a_l": [{"id":1,"e":"A_MP3","n":"und"}]}

{"a_c":{"id":1,"e":"A_MP3","n":"und"}}

{"s_l": []}

{"s_c":{"id":-1,"e":"","n":""}}

{"v_c":{"id":0,"e":"V_MPEG4/ISO/AVC","n":"und","w":720,"h":576,"f":25000,"p":1,"an":0,"ad":1}}

 

 

I am using ffmpeg libs:

 

root@opticumtt:~# ffmpeg -version

ffmpeg version 3.0 Copyright © 2000-2016 the FFmpeg developers

built with gcc 4.9.2 (GCC)

configuration: --sysroot=/mnt/new2/xspeedlx1/build-enviroment/builds/openatv/release/et4x00/tmp/sysroots/et4x00 --cross-prefix=mipsel-oe-linux- --prefix=/mnt/new2/_BRCM_/tmp/tmp/ffmpeg/tmp/ffmpeg-3.0/usr/ --enable-cross-compile --target-os=linux --arch=mipsel --disable-mipsdsp --disable-mipsdspr2 --disable-mipsfpu --enable-pic --enable-shared --disable-static --disable-debug --disable-ffplay --disable-ffprobe --disable-ffserver --disable-outdevs --disable-doc --disable-htmlpages --disable-manpages --disable-podpages --disable-txtpages --disable-lzma --enable-openssl --enable-zlib --enable-cross-compile --enable-small --disable-sdl --disable-xlib --disable-d3d11va --disable-dxva2 --disable-vaapi --disable-vda --disable-vdpau --enable-nonfree --extra-cflags=' ' --extra-ldflags=' '

libavutil      55. 17.103 / 55. 17.103

libavcodec     57. 24.102 / 57. 24.102

libavformat    57. 25.100 / 57. 25.100

libavdevice    57.  0.101 / 57.  0.101

libavfilter     6. 31.100 /  6. 31.100

libswscale      4.  0.100 /  4.  0.100

libswresample   2.  0.101 /  2.  0.101

Edited by samsamsam, 2 October 2016 - 23:00.

[mx3L]

@samsamsam

Hi,

Indeed it looks good currently is ffmpeg's rtmp only missing token parameter:

 

librtmp parameters - https://rtmpdump.mpl.../librtmp.3.html

ffmpeg rtmp parameters - https://ffmpeg.org/f...ocols.html#rtmp

[ian1095]

Thanks mx3L

 

I shall test and report back as soon as I'm able.

 

Ian.

 

@ian1095 fix is in there

 

[samsamsam]

@mx3L

 

As I understand you try this stream with exteplayer3 with ffmpeg compiled with librtmp and it does not work, but with ffmpeg with native implementation of rtmp protocol it works?

 

This stream uri does not need any parameters, so the parameters could not be a problem here.

 

Regards,

SSS

[mx3L]

Correct with librtmp it doesn't work.

 

I know it doesn't need any parameters.

 

I was adding to ffmpeg bitbake recipe librtmp support because ffmpeg's rtmp was missing option like "token".

But It looks like that ffmpeg's rtmp support is better than librtmp since you can play some streams which don't play with librtmp.

 

So I guess we shouldn't use librtmp, we just need to add parsing of librtmp options in exteplayer3, so transition is seamless.