Server Version#: 1.19.4.2902
Player Version#: various

Plex apps on iOS, AppleTV (4k model, has latest updates) and Android just recently cannot connect to my Plex server.
( all on the same network)

Plex Version 1.19.4.2902
The Plex server is running on LinuxMint 18.3

Everything still worked through the browser, both on wireless and wired.

There were some TLS issues in the log:

Sep 29, 2021 20:19:48.853 [0x7f5fbbfff700] DEBUG - CERT: incomplete TLS handshake: stream truncated
Sep 29, 2021 20:19:48.870 [0x7f5fbb7fe700] DEBUG - CERT: incomplete TLS handshake: stream truncated
Sep 29, 2021 20:19:48.893 [0x7f5fbb7fe700] DEBUG - CERT: incomplete TLS handshake: stream truncated

Disabling secure connections in the Plex settings (just a troubleshooting step) allowed Plex to work on iOS, but not on AppleTV or Android

I then upgraded openssl and TLS on the Plex server to the latest versions possible via apt.

tls 1, 1_1 and 1_2 are working:

openssl s_client -connect cloudindevs.com:443 -tls1_2

CONNECTED(00000003)
140124385072792:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1633028633
Timeout : 7200 (sec)
Verify return code: 0 (ok)

###################################

Settings were set back to not allow insecure connections, and while iOS and Android apps worked for a bit, they have stopped working, AppleTV still cannot connect.

Here is where the AppleTV appears in the log (192.168.1.131)
The plex server is 192.168.1.84
192.168.1.208 is an iPad

Sep 30, 2021 12:14:06.150 [0x7f5f9effd700] DEBUG - NetworkServiceBrowser: PLAYER arrived: 192.168.1.131
Sep 30, 2021 12:14:09.956 [0x7f5fbbfff700] DEBUG - Completed: [192.168.1.84:57950] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (13 live) GZIP 20000ms 5 bytes (pipelined: 1)
Sep 30, 2021 12:14:09.992 [0x7f5fbb7fe700] DEBUG - Auth: authenticated user 1 as jkstill
Sep 30, 2021 12:14:09.992 [0x7f5fb9ffb700] DEBUG - Request: [192.168.1.84:57952 (Subnet)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (13 live) GZIP Signed-in Token (jkstill)
Sep 30, 2021 12:14:09.993 [0x7f5fb9ffb700] DEBUG - Content-Length is -1 (of total: -1).
Sep 30, 2021 12:14:21.283 [0x7f5fbb7fe700] DEBUG - Auth: authenticated user 1 as jkstill
Sep 30, 2021 12:14:21.283 [0x7f5fb9ffb700] DEBUG - Request: [192.168.1.208:55951 (Subnet)] GET /library/sections/1/all?excludeFields=summary&includeAdvanced=1&includeCollections=1&includeExternalMedia=1&includeMeta=1&sort=titleSort&type=1 (10 live) Page 100-129 GZIP Signed-in Token (jkstill)
Sep 30, 2021 12:14:21.284 [0x7f5fb9ffb700] ERROR - Unknown metadata type: folder
Sep 30, 2021 12:14:21.285 [0x7f5fb9ffb700] DEBUG - Setting container serialization range to [100, 129] (total=-1)
Sep 30, 2021 12:14:21.302 [0x7f5fb9ffb700] DEBUG - Setting container serialization range to [100, 129] (total=130)
Sep 30, 2021 12:14:21.305 [0x7f5fbb7fe700] DEBUG - Completed: [192.168.1.208:55951] 200 GET /library/sections/1/all?excludeFields=summary&includeAdvanced=1&includeCollections=1&includeExternalMedia=1&includeMeta=1&sort=titleSort&type=1 (10 live) GZIP Page 100-129 22ms 8597 bytes (pipelined: 1)
Sep 30, 2021 12:14:21.624 [0x7f5fbb7fe700] DEBUG - Auth: authenticated user 1 as jkstill
Sep 30, 2021 12:14:21.625 [0x7f5fb9ffb700] DEBUG - Request: [192.168.1.208:50562 (Subnet)] GET /media/providers (11 live) GZIP Signed-in Token (jkstill)
Sep 30, 2021 12:14:21.631 [0x7f5fbb7fe700] DEBUG - Completed: [192.168.1.208:50562] 200 GET /media/providers (11 live) GZIP 6ms 4874 bytes (pipelined: 1)
Sep 30, 2021 12:14:22.145 [0x7f5fbb7fe700] DEBUG - Auth: authenticated user 1 as jkstill
Sep 30, 2021 12:14:22.145 [0x7f5fb9ffb700] DEBUG - Request: [192.168.1.208:50562 (Subnet)] GET /media/providers (11 live) GZIP Signed-in Token (jkstill)
Sep 30, 2021 12:14:22.152 [0x7f5fbb7fe700] DEBUG - Completed: [192.168.1.208:50562] 200 GET /media/providers (11 live) GZIP 6ms 4874 bytes (pipelined: 2)
Sep 30, 2021 12:14:29.993 [0x7f5fbbfff700] DEBUG - Completed: [192.168.1.84:57952] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (5 live) GZIP 20000ms 5 bytes (pipelined: 1)
Sep 30, 2021 12:14:30.026 [0x7f5fbbfff700] DEBUG - Auth: authenticated user 1 as jkstill
Sep 30, 2021 12:14:30.026 [0x7f5fb9ffb700] DEBUG - Request: [192.168.1.84:57966 (Subnet)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (5 live) GZIP Signed-in Token (jkstill)
Sep 30, 2021 12:14:30.026 [0x7f5fb9ffb700] DEBUG - Content-Length is -1 (of total: -1).
Sep 30, 2021 12:14:31.721 [0x7f5fbb7fe700] DEBUG - handleStreamWrite code 32: Broken pipe
Sep 30, 2021 12:14:31.721 [0x7f5fbb7fe700] DEBUG - NotificationStream: Removing because of error
Sep 30, 2021 12:14:31.721 [0x7f5fbb7fe700] DEBUG - Completed after connection close: [192.168.1.208:55933] 200 GET /:/eventsource/notifications (5 live) GZIP 50001ms 112 bytes (pipelined: 1)
Sep 30, 2021 12:14:42.520 [0x7f5fbaffd700] DEBUG - NetworkInterface: received Netlink message len=64, type=RTM_NEWLINK, flags=0x0
Sep 30, 2021 12:14:42.520 [0x7f5fbaffd700] DEBUG - NetworkInterface: Netlink information message family=0, type=1, index=3, flags=0x11043, change=0x0
Sep 30, 2021 12:14:42.520 [0x7f5fbaffd700] DEBUG - Network change.
Sep 30, 2021 12:14:42.520 [0x7f5fbaffd700] DEBUG - NetworkInterface: Notified of network changed (force=0)
Sep 30, 2021 12:14:42.520 [0x7f5fbaffd700] DEBUG - Network change notification but nothing changed.

And now, I am seeing a lot of:

grep TLS plex-media-server.log | cut -d] -f2| sort | uniq -c

  1  DEBUG - CERT: incomplete TLS handshake: no shared cipher
 15  DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
498  DEBUG - CERT: incomplete TLS handshake: stream truncated

This just started the last day or 2 - any ideas?

I have not been able to find anything useful regarding this.

If you are using your own certificate, the PFX file must contain the Key, Cert, and at least the intermediate CA (for chain verification).

As exmple, I use pfSense which maintains its cert via ACME for Let’s Encrypt.

When I update the cert for Plex,

1. My domain key
2. My domain cert
3. The Let’s Encrypt CA my cert is based on. ( Acmecert_+O=Let's+Encrypt,+CN=R3,+C=US.crt)

Without that, Plex is going to have a fit with any cert you try to attach.
If you apply the cert to the host before attaching to Plex, it will likely give you the problems you’re seeing now.

Beyond this, I can’t be of any help. Certs are not my strong suit.

Thanks for the info, but I have not set up a separate key, it just uses the defaults.

It seems very odd to me that suddenly none of the players can connect to the server, and nothing was changed on the server.

Via the browser it all works as per normal.

Checking OS logs has not revealed anything useful either,

Upgrading the the latest version of the plex server fixed the problem.

Why I think it worked: I suspect the clients had recently updated, possibly due to security issues around ssl/tls.

The updated clients could not communicate with the old 1.19 server.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.