Samsung TV: Playback Fails with ECDSA Certificates

Plex Players
1

Samsung TV Plex App: Media Playback Fails with ECDSA Certificates due to Incompatible TLS Stack in Media Player Component

Platform: Samsung TV (QE55Q60TAUXZG), Plex App (latest available version)

Summary:
Video playback fails when the Plex server is served behind a reverse proxy using an ECDSA certificate. The Plex UI loads and responds normally, but initiating video playback results in a TLS handshake failure.

Steps to Reproduce:

  1. Configure reverse proxy with an ECDSA certificate (e.g. ECDHE-ECDSA-AES256-GCM-SHA384)
  2. Open Plex app on Samsung TV
  3. Browse library – works as expected
  4. Start video playback – fails immediately

Expected Behavior:
Video playback works regardless of the certificate type used on the server.

Actual Behavior:
TLS handshake fails with a fatal Handshake Failure alert during video stream initiation. TCPDump analysis confirms the media player component sends a Client Hello that contains no ECDSA-compatible cipher suites, making it incompatible with ECDSA certificates. Notably, the UI component of the app negotiates TLS successfully, suggesting the media player uses a separate, more restricted TLS stack.

Workaround:
Switching the server certificate to RSA (2048-bit) resolves the issue. All functionality works correctly with RSA.

Additional Notes:

  • The TLS failure occurs exclusively during media playback, not during UI/API requests
  • The Client Hello from the media player offers only RSA-based cipher suites
  • No ECDSA cipher suites (ECDHE-ECDSA-*) are present in the affected Client Hello
  • Media player identifies itself via User-Agent: SamsungDASH/2.0 (;;;;;) and samsung-agent/1.1, confirming it is a separate Samsung DASH player component with its own restricted TLS stack, independent of the Plex app UI

Appendix: TCPDump – Client Hello (anonymized)

Packet summary:

<client-ip> → <server-ip>  TLSv1.2  Client Hello (SNI=<redacted>)
<server-ip> → <client-ip>  TLSv1.2  Alert (Level: Fatal, Description: Handshake Failure)

Client Hello raw bytes (MAC addresses, IPs and SNI hostname redacted):

0000   xx xx xx xx xx xx xx xx xx xx xx xx 08 00 45 00   ..............E.
0010   01 1d 6d da 40 00 35 06 39 36 xx xx xx xx xx xx   ..m.@.5.96......
0020   xx xx 59 a0 01 bb 5c 1a 55 0f 1d 4f 1f ff 80 18   ..Y...\U..O.....
0030   00 e5 95 08 00 00 01 01 08 0a 00 45 38 e6 99 2b   ...........E8..+
0040   a9 dc 16 03 01 00 e4 01 00 00 e0 03 03 11 f8 a9   ................
0050   af 26 7d 5c 27 c7 6b 9f 53 16 40 29 bf b1 e1 63   .&}\'.k.S.@)...c
0060   02 1b 82 de 6c b1 78 70 53 06 28 e2 9e 00 00 38   ....l.xpS.(....8
0070   c0 30 c0 14 c0 0a 00 39 00 38 c0 0f c0 05 00 35   .0.....9.8.....5
0080   c0 2f c0 2b c0 13 c0 09 00 9e 00 33 00 32 00 9c   ./.+.......3.2..
0090   00 3c 00 2f c0 12 c0 08 00 16 00 13 c0 0d c0 03   .<./............
00a0   00 0a c0 11 c0 07 00 ff 01 00 00 7f 00 00 00 17   ................
00b0   00 15 00 00 12 xx xx xx xx xx xx xx xx xx xx xx   ................
00c0   xx xx xx xx xx xx xx xx 00 0b 00 04 03 00 01 02   ................
00d0   00 0a 00 1c 00 1a 00 17 00 19 00 1c 00 1b 00 18   ................
00e0   00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 00 0a   ................
00f0   00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02   .. .............
0100   05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01   ................
0110   02 02 02 03 00 0f 00 01 01 33 74 00 00 00 10 00   .........3t.....
0120   0b 00 09 08 68 74 74 70 2f 31 2e 31               ....http/1.1

Key observations from the Client Hello:

  • Cipher suites offered: c030 c014 c00a 0039 0038 c00f c005 0035 c02f c02b c013 c009 009e 0033 0032 009c 003c 002f c012 c008 0016 0013 c00d c003 000a c011 c007 00ff
  • No ECDHE-ECDSA-* cipher suites present – only ECDHE-RSA-* and legacy suites
  • ALPN: http/1.1 only (no h2)
  • SNI: present but redacted
2

Since your TV is 6+ years old, maybe this:
On your PMS, is below checked?

image
image2387×386 48.7 KB

3

AFAIR, the Plex app on the Tizen platform is not supplying any certificates.
It might not even be allowed to do that, due to platform restrictions.
Which means that any certs need to be supplied by the OS (i.e. Tizen and therefore Samsung).
Which in turn means if you use a new-ish cert which for some reason isn’t already trusted by your TV’s firmware, then you’ll have a hard time getting the TV to decrypt your secure packets.

4

@dane22 Yes, this does basically the same in plex itself.

@OttoKerner Thanks for the input, but I think there’s a misunderstanding here.

This is not a certificate trust issue. The server certificate is issued by Let’s Encrypt and is fully trusted. The TV’s Plex UI connects successfully and validates the certificate without any problem.

The issue is specifically with the cipher suite negotiation during the TLS handshake. TCPDump analysis of the Client Hello sent by the Samsung DASH media player (SamsungDASH/2.0, samsung-agent/1.1) shows that it only offers RSA-based cipher suites (ECDHE-RSA-*). It offers zero ECDHE-ECDSA-* suites.

When the server presents an ECDSA certificate, there is no matching cipher suite on the client side, causing the server to respond with a fatal Handshake Failure alert – before any certificate validation even takes place.

Switching the server certificate from ECDSA to RSA resolves the issue immediately, which further confirms this is a cipher suite compatibility problem in the media player’s TLS stack, not a trust store or platform certificate restriction issue.

I acknowledge that it may not be clear whether this is a Plex or a Samsung responsibility. The restricted TLS stack could originate from the Tizen platform itself. However, it is ultimately Plex’s decision to integrate and ship this media player component within their app.

5

Plex depends on the platform it’s running on, and older platforms might not have support for all the newest and recommended suites, nor may the HW of the device not be able to handle it.

As @OttoKerner said, Plex can not update those, only use what’s avail from the OS

So as a workaround, Plex allows for the PMS to also use older versions, as I showed you, but doing so sadly leaves the PMS less secure

A 6+ year old Smart-TV is IMHO old when we talk about the smart thing, heck I would not run on a +6 years old PC, which is more or less what the Smart-TV part is

As such, you have the option to switch PMS into less secure mode, switch TV or get a streaming device, like a Shield

I personally recommend the last option

6

Thanks for the responses. Just to clarify the intent of this post:

I already have a working workaround in place. This report is primarily meant as a heads-up to Plex and Samsung, and hopefully useful to others who run into the same issue.

What makes this particularly confusing from a user perspective: the Plex Web UI connects without any issue, while the media player built into the same app refuses to negotiate the connection. The root cause is that the two components are built on different underlying libraries with different TLS stacks. But from the outside, it looks like the same app behaving inconsistently.

I am also unsure whether this affects newer Samsung Smart TV models or only older firmware versions. If anyone with a newer TV can confirm or rule this out, that would be valuable additional data.

Hopefully this helps someone else who hits the same wall during troubleshooting.