HTTPS broken

plugin-dev

#1

HTTP.Request() to HTTPS URLs result into an error:

URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)>

Seems like this has been an outstanding issue for sometime which requires an update for the built-in Python to at least 2.7.9 (which was released in 2014).

https://forums.plex.tv/discussion/229031/outdated-ssl-python-handshake-errors
https://forums.plex.tv/discussion/248351/fix-for-sni-ssl
https://forums.plex.tv/discussion/222070/plex-official-channel-vice-ssl-error-on-featured-vice-news

Since more and more websites are migrating to HTTPS by default, I'd say this could be a deal breaker for many channel plugins for Plex. Does anyone know whether Plex has a plan to address this issue?


#2

Someone does, but, Plex company will likely never tell anyone until after they update. That could be today. That could be 10 years. That could be never.
I’ve suffered, and fortunately, got channel developers to do work-arounds, for several of the channels I use.
And, honestly, I’ve not seen your error, but, usually see another error.
Searching for “CERTIFICATE_VERIFY_FAILED” results in 44 posts.
It seems Plex has been ignoring the error for several years.
Scary thing… it even affected the ability of Plex to obtain metadata within some of their agents for several.


#3

See forums.plex.tv/discussion/290557/input-for-plex-player-app-pms-issues-with-plugin-framework


#4

Is anyone going to fix this?

This basically breaks all scanners or agents that need HTTPS. The SNI issue is at least 5 years old.


#5

@ddn - what’s your operating system?
I’ve not seen SSL error in quite sometime on my WIndows box (but that might be due to the workarounds)
Though Plex is still many versions behind, they’ve updated to Python 2.7.12 for Windows version of Plex sometime in the past year or two.
M:\Program Files (x86)\Plex\Plex Media Server>PlexScriptHost.exe --version
Python 2.7.12


#6

The machine is a bit older so it’s running OS X Sierra. I could update it to HS, but I don’t think it would make any difference in this.

From what I can tell, Plex is using the python with internal libraries that ship with it, that are super old including using urrlib2.

I did try installing a completely separate python with brew, but I couldn’t get plex to use the /usr/local/bin/python vs system-installed.


#7

Yeah, to follow up, @JamminR. I updated to High Sierra, and the system python isn’t even linked to OpenSSL, it’s LibreSSL 2.2.7 now. But the Plex scanning is still broken just the same. I’d be happy to be wrong, but I’m pretty sure this needs to be fixed in Plex’s libraries.


#8

I’ve never understood the error completely. I know it has something to do with new versions of Python/urllib trying to verify the security certificates (older versions of Python/urllib did not do this).
I only know of some workarounds.

  1. Do not verify certificates. A bit like how older Python versions worked:

Or:
2. Use external Python libraries


#9

@sander1 super helpful, thank you. Your guide to adding external libraries was perfect, and I was able to fix this scanner.

Ironically though, now all the metadata is correct but the artwork display, most likely because the Plex internals still use the libraries with broken SNI! :s

Same problem as your solution #1. It’s fine to not verify certificates, unless the server on the other end refuses to handshake if you don’t pass servername. So, basically, Plex still needs to fix this.


#10

@ddn Can I see your scanner and/or metadata code somewhere online? Or are we talking about the default Plex scanner(s) and agent(s)?


#11

@sander1 I ported the scanner code to requests, and now it works perfectly. You can see the original code here though https://github.com/mmmmmtasty/SportScanner

That said, it’s still fundamentally broken because Plex then internally tries to download the art that is on an HTTPS URL and fails.

i.e.: com.plexapp.system.log.3:URLError: urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)

This needs to be fixed in Plex, it’s ridiculous that it’s still broken many years after SNI was fixed in python.