Skip to main content
Topic: Using HTTPS streams (Read 4816 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Using HTTPS streams

Hi all,

I'm currently trying to write a foobar plugin that connects to subsonic media servers (For those who don't know Subsonic: http://www.subsonic.org/).
For testing, I don't use subsonic itself, but another product (Ampache) which provides a subsonic compatible API.

The subsonic API is pretty simple. Just send some HTTP GET requests with certain parameters to the server and you will return XML as answer.
Using this API I'm currently able to get all Artists, Albums and Tracks from the server. But I had to reimplement WINHTTP to get that far.

During this development, I tried to use the integrated http_client to retrieve information from my "fake" subsonic server.
For security reasons my server only serves these pages using HTTPS (and self-signed certificates).

All requests have failed. I first thought it has something to do with proxy settings or with the self-signed certificate. But also without proxy, and just querying www.google.com, I didn't get a proper response.

This leads me to the question: Does the integrated http_client support HTTPS? Do I miss something?
Because of that, I implemented HTTPS by using WINHTTP (I would really like to remove that part again, if possible).

The next question I have, what about https-streamed media?

To include some background: To retrieve media from subsonic, you call "rest/stream.view" with the id of the song you want to have.
Subsonic then, sends the file like an HTTP-Stream. In my case the song is streamed using HTTPS.

Again I didn't find any solution on how to play the song, when it is streamed on https.
When trying to add a https URL in the playlist (programmatically or manual using File->Add Location), nothing happens.
So I guess HTTPS is also not working in this case.

Is there any (simple) solution to allow foobar to read https-streams?
I already digged through the (poorly documented) SDK, read some code of other plugins. But I still got no idea how to start.

Do I have to implement input_singletrack_factory_t?
I don't want to add a new decoder, I just want to use some code to feed https to foobar ....

Does anyone have some suggestions for me?

Thanks!


Using HTTPS streams

Reply #2
Interesting...

So maybe it has something to do with self-signed certificates, and HTTPS itself is working (I'll verify that when I'm back home).
Sadly foobar does not log anything to console or shows a message why the URL could not be added. I only can guess...

Any idea on how to teach foobar to accept certain certificates? Are there any options in preferences I've missed?

Using HTTPS streams

Reply #3
Ok I can confirm, it works as long as you have "valid" certificates.
It does not work if you have either self-signed certificates or a https-proxy which does "man-in-the-middle" (which means, the proxy provides his own certificate which is also not signed by a global authority).

Is there any way to accept self-signed certificates in foobar?

This would be the last step for me to get my plugin and setup working...

Using HTTPS streams

Reply #4
Try importing your self-generated CA certificate into Windows' trusted certificate store?

Using HTTPS streams

Reply #5
Already tried that yesterday.

I've imported the CA, so that every certificate signed by myself will be accepted.

Internet Explorer is now fine, and displays the page (and any subdomain signed by this CA) without any warnings.
foobar still doesn't accept my HTTPS urls.

I also tried to point directly to an mp3 file on my server, same result.
When using http foobar plays the file, when using https I see the modal loading dialog for about 1 second and then nothing happens.
Using the https url in IE or FF works.

Some more debug information would be helpful, but foobar does not provide any log statement (at least in console).
Is there any commandline switch or something to increase logging output?



Using HTTPS streams

Reply #6
Out of curiosity I tried the same thing and got the same result.
In my case, it was because of certificate revocation check failure. CertVerifyRevocation() was failing with CRYPT_E_NO_REVOCATION_CHECK, meaning that revocation check couldn't be performed for some reason.
Of course it can't, because the installed CA certificate was created by myself using OpenSSL, and I don't provide any CRL/OCSP or something.

I think it's too strict that fb2k always requires certificate revocation check to be successful, considering browsers (IE, Chrome, FireFox) are happy with this setup.
Although CRYPT_E_REVOKED should be considered fatal, can't fb2k just ignore CRYPT_E_NO_REVOCATION_CHECK ?

In MSDN, it is written that IE performs revocation check by default but ignores the error when it cannot complete the check (because it's so common due to network failure on CA or something):
http://blogs.msdn.com/b/ieinternals/archiv...t-explorer.aspx

Using HTTPS streams

Reply #7
BTW if you want to test https, just create and use a proxy DLL of crypt32 where CertVerifyRevocation() always returns TRUE.

Using HTTPS streams

Reply #8
Nice find.

Maybe it is the same problem for me. I also don't provide any CRL/OCSP for revokation checking.

I understand what you mean by "proxy dll".

I don't have any idea on how to do/write that.
Also this feels like a dirty hack, so it may be ok for testing - but not in regular use.

So, as far as I see, there seems to be no way to change the SSL behavior of foobar from the outside (besides dirty tricks).

Is there any chance for a feature request to change that? How to do that?

I guess HTTPS with self-signed certificates isn't anything very unusual.
Also the mentioned thing about the CRL and self-signed certifcates seems pretty common.


Using HTTPS streams

Reply #9
I understand what you mean by "proxy dll".

It's a DLL works as a proxy for the original. This DLL has to export all the symbols provided by the original and used by the target application. Sometimes you might want to intercept some interesting functions or implement on your own. Most of the times, you just forward function calls to the original.
In this case, you have to implement CertVerifyRevocation() so that it returns always TRUE.

Quote
Also this feels like a dirty hack, so it may be ok for testing - but not in regular use.

Exactly, it's for testing only.

Using HTTPS streams

Reply #10
I tried that proxy-dll stuff, but I don't get this to work.
foobar always loads the system crypt32.dll instead of my own (I don't want to put my proxy-dll in system directory).

Never mind. I don't want to waste much time on this approach, as this would be only useful for testing.

Where do I have to ask for changing the behavior of foobar regarding self-signed certificates/missing CRLs?

Using HTTPS streams

Reply #11
The forum is the right place for reporting issues. This particular concern has been acknowledged and perhaps the next beta brings desired changes.

Using HTTPS streams

Reply #12
Have you tried adding your selfsigned certificate to "trusted root authorities" and made sure it's signed for the right domain/subdomain and not expired? That as far as I can tell makes fb2k accept it.

Hooking system DLLs is plainly stupid, please don't.

For the next fb2k update I'll add a whitelist of internet addresses to suppress SSL certificate validity checks on so you should be able to get this working without installing certificates. However you lose connection authenticity validation this way, whatever good that does for you.

Using HTTPS streams

Reply #13
@Peter: Thanks for the change!

I don't want to do any DLL hooking stuff. I also think it is stupid, so this was no solution for me at all.

As said before, I already installed my CA as "trusted root authorities".
At least, Internet Explorer is now happy with all my self-signed certificates, but foobar is not.

I will double check that I've installed the CA properly when I'm back at home.

Again thanks for your help!

Using HTTPS streams

Reply #14
Version 1.3.9 beta 3 with the discussed change is up. Go to Preferences / Advanced / Networking to whitelist hosts.

Using HTTPS streams

Reply #15
Thanks a lot, Peter.

I tested that feature, certificate seams to be no issue anymore.
But it is still not working for me.

When adding a location from my server using "Add Location", I get an error (thanks for the new feature which shows the error instead of suppressing it):
Quote
The following error(s) occurred during loading of the location(s):
Invalid data, full line expected


I can remember that I've had the same error when using the build-in http_client to retrieve answers from my subsonic server - that's why I have implemented WINHTTP myself.
Maybe this has something to do with the proxy I have at work (I hate that piece of crap). I'll try it again at home this evening.

If required, I can give you an URL to a sample file on my server (it's a "public" server, not a LAN server). Maybe this would be helpful for debugging...

Using HTTPS streams

Reply #16
Thanks for the report. I'll get subsonic installed within my own local net and get back to you when I've tested it.

Using HTTPS streams

Reply #17
No need to install Subsonic locally.

I retested the fix at home. It's working for me.

Seems that the problems I have at work is caused by the ironport proxy.
This proxy does man in the middle and also delivers his own certificate.
As I don't get any "security error" (which I get, when not adding my server to the white list), I guess it's something strange the proxy does.

How does foobar use the proxy settings provided?
I tried "use IE settings" and also tried to give the proxy manually. Both with the same result ("Invalid data, full line expected").
IE settings for me are somehow special. Proxy-settings are not entered manually in windows, and also WPAD (automatic proxy configuration over DHCP/DNS) is not used.
There is just a URL to a proxy.pac configured.

It may also explain why I don't get foobars http_client to work. I get the same error as mentioned above.
Does foobar use winhttp internally?
Creating my own http client using 'winhttp' works for the REST-Api of subsonic. The hard part was to get the proxy stuff working.

If foobar also use it , you may have a look at my implementation: https://github.com/hypfvieh/foo_subsonic/bl...plehttpclient.h
(Please be gentle with me, I'm not used to C++... And I know you can do it a lot better..)

 
SimplePortal 1.0.0 RC1 © 2008-2020