Hello there
I’m running a Plex server on Docker, behind a Traefik reverse proxy.
Traefik is doing the HTTPS / SSL termination, and forwards traffic to Plex (…:443 → plex:32400).
Because IT security is a part of my daily job, Traefik is configured to be enforce TLS 1.3 & secure ciphers.
Now Plex works flawlessly for years now, even with TLS 1.3 & those ciphers. All the browsers (Safari, Chrome, Chromium, Firefox), on different OS (Debian, Ubuntu, Kali, macOS, Windows, iOS, Android) can connect and play videos. I used openssl s_client to check the SSL connection. The connection looks good, the ciphers looking good, the SSL certificate looks good, and is valid. So, all fine.
However, today I thought I’ll give Plexamp a try. Have a guess 
Plexamp fails in connecting the server. The server is behind a NAT, yes. However, the Plex server is also remotely available via custom hostname (behind named Traefik proxy). I tried to connect Plexamp to Plex via direct network connection, via NAT (loopback / hairpin), and from WAN.
Plexamp won’t connect to my Plex server. As mentioned before, all other clients & OS will work, it’s just Plexamp. I think I pinned it down to the TLS connection, which actually points more to a client (Plexamp) issue, rather than a server issue. The only thing I can think of now are:
- Plexamp doesn’t properly support TLS 1.3 (which would be a bit of a shame & security issue in 2025)
- Plexamp doesn’t support SNI and the proxy rejects because of strict SNI handling
- Plexamp no longer uses HTTPS, or requests a different ALPN protocol
Is there anyone at Plex who can answer these questions?
I can’t find anything useful in the logs, except for this:
May 09, 2025 00:53:51.196 [0x6daf3000] DEBUG - Networking: Completed request 41: (GET https://plex.example.net:443/) with code -35 (have 0 bytes) in 42 ms.
May 09, 2025 00:53:51.196 [Javascript] WARNING - DEVICE: Server connection https://plex.example.net:443 didn't work for example.net: HTTP status -35
Please note, example.net was redacted.
What does HTTP status -35 mean. Since -35 isn’t a valid HTTP status, I think this is coming from the layer underneath (networking). Does Plexamp leverage libcurl, and is this a libcurl error? In case it is libcurl or something similar, -35 can point to an SSL handshake error. Can I enable debugging for the networking module?
Btw. openssl s_client -connect, as well as curl works flawlessly:
curl -I https://plex.example.net/web/index.html
HTTP/2 200
accept-ranges: bytes
cache-control: no-cache
content-type: text/html
date: Thu, 08 May 2025 23:35:33 GMT
x-plex-protocol: 1.0
content-length: 30234
Anyone there who can help me out debug this properly?
I tried Plexamp on macOS and iOS. Both from LAN, NAT hairpin & via WAN. No success on both platforms.
