PDA

View Full Version : 500 SSL negotiation failed: (Rhapsody Error)



LeatherJack
2014-10-17, 02:48
Hi,
Started to get the above error yesterday when I try to access My Library on Napster/Rhapsody on Squeezebox.
Channels also failing, reporting: "Unable to retrieve track for channel"
Music Guide/Featured/Albums for you - 500 SSL error again
Music Guide/Featured/New Releases - works!
As does Playing Music Guide/Top Artists etc works.

Napster app on phone, My Music works works so does not look like a Napster problem.

Any help much appreciated.

Cheers,
LeatherOsprey

pippin
2014-10-17, 03:37
Yep, I thing that affects everyone.

Ikabob
2014-10-17, 04:57
Yes, I get the same "500 SSL negotiation failed" message. I cannot get to all my saved albums. I did an uninstall /install procedure with my Rhapsody account at mysqueezebox.com to no avail. Also, I cannot save new albums to to my music library at Rhapsody.
Is this a temporary issue with the Rhapsody App? I had many albums saved. Can they be retrieved ?
Thank you.

y360c
2014-10-17, 05:13
Is there anyone in Logitech still tracking' supporting and fixing such problems ?

mherger
2014-10-17, 05:14
I'll look into this asap. Are you guys Rhapsody or Napster users?

--

Michael

Ikabob
2014-10-17, 05:29
Thank you Michael. I am Rhapsody. In USA.

Curt962
2014-10-17, 05:36
Same Rhapsody issue here. The OP stated the problem precisely. Confirmed that the issue isn't isolated to any specific SB unit here at the house, as all units here display the same 500 SSL message.

Your Help is appreciated Michael!

Thanks

radish112
2014-10-17, 05:55
Michael,

I'm a Rhapsody subscriber, and I am experiencing the same "500 SSL Negotiation failed" issue that others have described.

Thanks for looking into this for us.

pippin
2014-10-17, 06:39
I've got a German Napster account, seeing the same thing.

mherger
2014-10-17, 07:13
> I've got a German Napster account, seeing the same thing.

Thanks. It's a change on their end which is causing this problem.
Anything which requires authentication seems to fail.

--

Michael

mherger
2014-10-17, 08:38
Ok, got some more information. And it's a little more complicated than I
though. There's a critical vulnerability in the SSL v3 protocol
("Poodle" -
https://blogs.akamai.com/2014/10/excerpt-how-poodle-happened.html).
Therefore Rhapsody's CDN changed their configuration, which causes the
failure. I'll have to see how we can work around this limitation.

--

Michael

logburner
2014-10-17, 09:13
I tried resetting Napster account and that got me to the password stage - but then the same error comes up - only free napster stuff is available...hope you cna fix this for us Michael

slimfast
2014-10-18, 09:06
Ok, got some more information. And it's a little more complicated than I
though. There's a critical vulnerability in the SSL v3 protocol
("Poodle" -
https://blogs.akamai.com/2014/10/excerpt-how-poodle-happened.html).
Therefore Rhapsody's CDN changed their configuration, which causes the
failure. I'll have to see how we can work around this limitation.

--

Michael

What they've likely done is disabled SSL v3 protocol which is the recommended 'fix' (the error is with the protocol being inherently vulnerable, that can't be patched), which I would assume is what the Squeezeboxes are using to make a secure connection. You'll have to go to using TLS on the Squeezebox end ...

pippin
2014-10-18, 13:32
It's not the Squeezeboxes but probably MzSqueezebox.com connecting through SSL/TLS. The Squeezeboxes don't support SSL :)

MeSue
2014-10-18, 22:09
Following

FredFredrickson
2014-10-19, 16:19
Same problem here, following thread.

heydrew
2014-10-19, 17:53
same issue for me. hoping there is a resolution! Rhapsody is the main reason I use the Squeezebox

LeatherJack
2014-10-20, 11:06
Thanks Michael - appreciate you looking into and trying to find a resolution to this.
And thanks to everyone providing more info into the thread.

I have Napster in the UK btw.

Will check back in soon.

MikeyE
2014-10-20, 13:30
I use Napster in the UK. I've got the same problem. Hope someone can get it resolved.

Chatts
2014-10-20, 13:56
Me to, Napster UK account

rcampbel3
2014-10-20, 18:27
Ok, got some more information. And it's a little more complicated than I
though. There's a critical vulnerability in the SSL v3 protocol
("Poodle" -
https://blogs.akamai.com/2014/10/excerpt-how-poodle-happened.html).
Therefore Rhapsody's CDN changed their configuration, which causes the
failure. I'll have to see how we can work around this limitation.

--

Michael

The response to POODLE vuln is generally dropping support for SSLv3 on servers and clients. It's 15 years old and has been recommended to be deprecated for a while now. So, anywhere in the squeezebox / LMS / Plugin code that uses SSL... it needs to be configured or set to be able to support TLS 1.0, 1.1, or 1.2, and any use of SSLv2 or SSLv3 should be removed. My guess is that there is a config option that needs to be changed in something like:
IO::Socket::SSL
http://search.cpan.org/~sullr/IO-Socket-SSL-2.000/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL

SSL_version
Sets the version of the SSL protocol used to transmit data. 'SSLv23' uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict handshake and protocol to the specified version. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions of Net::SSLeay and openssl.

Independent from the handshake format you can limit to set of accepted SSL versions by adding !version separated by ':'.

The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the handshake format is compatible to SSL2.0 and higher, but that the successful handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because both of these versions have serious security issues and should not be used anymore. You can also use !TLSv1_1 and !TLSv1_2 to disable TLS versions 1.1 and 1.2 while still allowing TLS version 1.0.

Setting the version instead to 'TLSv1' might break interaction with older clients, which need and SSL2.0 compatible handshake. On the other side some clients just close the connection when they receive a TLS version 1.1 request. In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help.



or Net::SSLeay
http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod
Replace any SSLv2 or SSLv3 functions with TLSv1 equivalents.
Take note of security recommendations here: http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod#SECURITY

-Ross

Mnyb
2014-10-20, 21:16
The response to POODLE vuln is generally dropping support for SSLv3 on servers and clients. It's 15 years old and has been recommended to be deprecated for a while now. So, anywhere in the squeezebox / LMS / Plugin code that uses SSL... it needs to be configured or set to be able to support TLS 1.0, 1.1, or 1.2, and any use of SSLv2 or SSLv3 should be removed. My guess is that there is a config option that needs to be changed in something like:
IO::Socket::SSL
http://search.cpan.org/~sullr/IO-Socket-SSL-2.000/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL

SSL_version
Sets the version of the SSL protocol used to transmit data. 'SSLv23' uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict handshake and protocol to the specified version. All values are case-insensitive. Instead of 'TLSv1_1' and 'TLSv1_2' one can also use 'TLSv11' and 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions of Net::SSLeay and openssl.

Independent from the handshake format you can limit to set of accepted SSL versions by adding !version separated by ':'.

The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the handshake format is compatible to SSL2.0 and higher, but that the successful handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because both of these versions have serious security issues and should not be used anymore. You can also use !TLSv1_1 and !TLSv1_2 to disable TLS versions 1.1 and 1.2 while still allowing TLS version 1.0.

Setting the version instead to 'TLSv1' might break interaction with older clients, which need and SSL2.0 compatible handshake. On the other side some clients just close the connection when they receive a TLS version 1.1 request. In this case setting the version to 'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help.


or Net::SSLeay
http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod
Replace any SSLv2 or SSLv3 functions with TLSv1 equivalents.
Take note of security recommendations here: http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod#SECURITY

-Ross

A wild guess is that the snag will be in the players themself like 3 years ago .
Some services demands that the security is taking place inside the player .
https://github.com/Logitech/slimserver/tree/public/7.9/Firmware

mherger
2014-10-20, 21:40
> The response to POODLE vuln is generally dropping support for SSLv3 on
> servers and clients. It's 15 years old and has been recommended to be
> deprecated for a while now. So, anywhere in the squeezebox / LMS /
> Plugin code that uses SSL... it needs to be configured or set to be able
> to support TLS 1.0, 1.1, or 1.2, and any use of SSLv2 or SSLv3 should be
> removed. My guess is that there is a config option that needs to be
> changed in something like:
> IO::Socket::SSL
> http://search.cpan.org/~sullr/IO-Socket-SSL-2.000/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL

Thanks for a good summary :-). Pretty much what I tried over the past
days. Unfortunately I still haven't figured it out.

> 'TLSv12'. Support for 'TLSv1_1' and 'TLSv1_2' requires recent versions
> of Net::SSLeay and openssl.

That's most likely what I have to investigate next. Make sure we run the
latest of everything.

--

Michael

DrewSB
2014-10-21, 03:37
Thank you Michael.

t-chok
2014-10-22, 05:52
Michael, thanks for your help with trying to fix this. About 75% of the usage I get from the squeezeboxes is for syncing Rhapsody throughout the house. Really appreciate your help in trying to fix the issue! :D

mherger
2014-10-22, 07:09
All - I've got something in place which seem to allow access to My
Library and Recommendations again. Could you please all give this a test
ride and let me know whether it's working for you, too?

Thanks!

--

Michael

Cryptor
2014-10-22, 08:51
All - I've got something in place which seem to allow access to My
Library and Recommendations again. Could you please all give this a test
ride and let me know whether it's working for you, too?

Thanks!

--

Michael

Michael, thanks for your help. What are the recommended changes?

skyfly
2014-10-22, 09:08
All - I've got something in place which seem to allow access to My
Library and Recommendations again. Could you please all give this a test
ride and let me know whether it's working for you, too?

Thanks!

--

Michael

I have a German account and it works great. Thanks Michael

radish112
2014-10-22, 11:03
Michael,

Access to my Rhapsody My Library is working like a charm for me.

Many thanks for your usual effective and efficient support.

Curt962
2014-10-22, 11:15
Michael!!!

Rhapsody funktioniert 100%!!

Soviel Danke aus den USA!

(My Grand-Daughters are coming over on Saturday, and if Grandpa doesn't have their Childrens Playlists ready to go.....I'm in Trouble!) ;)

Alles Klar!!

mirane
2014-10-22, 13:02
Thanks from Berlin-Germany

Vielen Dank,

Mirane

MikeyE
2014-10-22, 14:11
Thanks very much got sorting this one out. Much appreciated by myself and all my family using Napster on our squeezebox.

Ikabob
2014-10-22, 17:31
All - I've got something in place which seem to allow access to My
Library and Recommendations again. Could you please all give this a test
ride and let me know whether it's working for you, too?

Thanks!

--

Michael

Yes! All my saved albums are now there and Rhapsody seems to be fully functional again.
I don't know how you do it Michael but THANK YOU.
You seem to be there to help us 24/7.
From Ohio, USA.

BlackHog
2014-10-22, 22:22
Sorry to spoil the party ;-) - I was a happy user before tonight and started to see the exact error message this morning. So the change you applied seems to have helped a few affected but have broken things for others. Symptoms are the 500 SSL error message on playback for any title. Using Napster / Germany on my Squeezebox Touch and Squeezebox Radio. Any hints on this?

msdv
2014-10-22, 22:40
Sorry to spoil the party ;-) - I was a happy user before tonight and started to see the exact error message this morning. So the change you applied seems to have helped a few affected but have broken things for others. Symptoms are the 500 SSL error message on playback for any title. Using Napster / Germany on my Squeezebox Touch and Squeezebox Radio. Any hints on this?


Same here. Napster not working anymore - also Germany.

mherger
2014-10-22, 23:27
Thanks for all your feedback. I'm still working the details. There might
be another hiccup or two. Stay tuned!

--

Michael

ghostrider
2014-10-23, 05:36
I'm a Rhapsody user in the US. Before, every time I chose My Library, I got the 500 SSL message. Now I can get into My Library but if I choose an Artist or Playlist, I get the 500 SSL message. Still cannot play anything from Rhapsody.

mherger
2014-10-23, 05:48
> I'm a Rhapsody user in the US. Before, every time I chose My Library, I
> got the 500 SSL message. Now I can get into My Library but if I choose
> an Artist or Playlist, I get the 500 SSL message. Still cannot play
> anything from Rhapsody.

Does this happen when you select any Artist/Playlist, or only from your
library?

--

Michael

mherger
2014-10-23, 06:25
Could you please try again? It seems some of the servers actually hadn't
restarted their services. Thanks for the heads up!

--

Michael

ghostrider
2014-10-23, 06:36
> I'm a Rhapsody user in the US. Before, every time I chose My Library, I
> got the 500 SSL message. Now I can get into My Library but if I choose
> an Artist or Playlist, I get the 500 SSL message. Still cannot play
> anything from Rhapsody.

Does this happen when you select any Artist/Playlist, or only from your
library?

--

Michael

I can't play anything. I tried searching for artists and playing canned Rhapsody playlists that appear on the menus prior to selecting My Library. It loads the playlist or album and the first track of the playlist or album appears on the display but nothing happens. If I press play again, I get a flashing 500 SSL Negotiation Failed message, in small text that scrolls above the track information. I can scroll other tracks on the album or playlist but when I press play the 500 SSL message scrolls above the track information. The same behavior occurs when I try to play from albums or playlists in my library. The difference today is that I can actually get into my library although I can't play anything. Several days ago the 500 SSL message appeared when I chose My Library from the menu... I never could access my library before getting the failure message. Hope this makes sense.

ghostrider
2014-10-23, 06:43
Could you please try again? It seems some of the servers actually hadn't
restarted their services. Thanks for the heads up!

--

Michael

I removed power from my Boom and let it reconnect to my network and tried again. I still get the same failure, both on canned Rhapsody playlists and in my library. FYI, Pandora and Internet radio stations work fine, only Rhapsody fails. I am connected directly to MySB.com, not running my local server.

Thanks.

Curt962
2014-10-23, 06:45
Indeed, Exactly what GhostRider described.

Ach Ne!!! So ein Misst!

Thanks anyway Michael. We certainly appreciate your continued efforts to resolve this matter.

Best Regards,

ALL of Us.

mherger
2014-10-23, 06:56
> I removed power from my Boom and let it reconnect to my network and
> tried again. I still get the same failure, both on canned Rhapsody
> playlists and in my library.

Crap. Yes, I'm seeing the same. Now functionality which did work without
the change is broken. It still worked a few hours ago. Back to square
one, then.

--

Michael

axelander
2014-10-23, 07:54
Hi, same for me. Using Napster in Germany. After disconnecting and reconnection power SSL handshake fails.
Thanks for quick support and keeping on anyway, Michael!
Cheers, Axel

skyfly
2014-10-23, 08:00
Yesterday it works fine, but today Napster doesn't play anything.

bocaboy
2014-10-23, 08:48
> I've got a German Napster account, seeing the same thing.

Thanks. It's a change on their end which is causing this problem.
Anything which requires authentication seems to fail.

--

Michael

Just upgraded to Yosemite and solved the problem with the server not starting by updating the software, but now I can't get to Rhapsody. I'm getting a 500 SSL negotiation failed error. Is this only with Rhapsody and Logitech? Any workarounds?

skyfly
2014-10-23, 10:35
Now it works. German Account. Thanks Michael

mherger
2014-10-23, 11:44
> Now it works. German Account. Thanks Michael

Huh?!? Indeed... now that's very surprising, as I just got confirmation
that they applied more changes on their backend which broke the service
for us. Maybe they got too many complaints and reverted... I'll double
check with them.

--

Michael

mherger
2014-10-23, 11:49
Ok, just got the follow-up mail telling me that they were rolling back
previous changes. The service should be back for now. But that's only to
give us (and other partners) more time to prepare for the final change.

Enjoy as long as it lasts :-)

--

Michael

Curt962
2014-10-23, 13:43
Michael...

AUSGEZEICHNET!!!!!!!!!!

Alles Klar mit Rhapsody!

Thank You SO much!

Curt & Family.

y360c
2014-10-27, 16:05
Rhapsody are a bunch of incompetent fools. I've been a paying subscriber since 2005 and just canceled my subscription with them this week. This incident was the last straw for me. I did not realize how clunky their Windows client software was until I installed Spotify. It's also time to say goodbye to my 4 squeezeboxes, to be replaced by tablets. Logitech made a logical decision retiring from this business as times have changed and I'm not going to stick around for the mysb eventual shutdown.

MeSue
2014-10-28, 21:45
Just tried to play an album from Rhapsody. It played one song from the middle of the album and skipped the rest. Cued it up again and it played one different song, and skipped the rest. Is this part of this bugginess?

mherger
2014-10-28, 22:17
Hi MeSue,

unfortunately we're not fully done yet. We're rolling out changes right
now. They might be on some of the backend servers, but not all of them.
Load-balancers might be sending you to different backend servers.

--

Michael

t-chok
2014-10-31, 07:08
Hi there,

I'm now seeing a similar, but slightly different, error message when I try to access My Library in Rhapsody. The message is this: "500 Can't connect to direct.rhapsody.com: 443"

Is this part of the same issue being investigated previously in this thread?

Thanks a lot!

Tim

Tony T
2014-10-31, 07:09
The "500 SSL negotiation failed" was fixed for me 2 days ago, but today I'm getting "500 Can't connect to direct.rhapsody.com:443"

edit: Tim beat me to it :)

ghostrider
2014-10-31, 07:15
The "500 SSL negotiation failed" was fixed for me 2 days ago, but today I'm getting "500 Can't connect to direct.rhapsody.com:443"

edit: Tim beat me to it :)

Me too. Worked for several days but died this morning. :(

mherger
2014-10-31, 07:48
Thanks for the heads-up, guys! Are you in the US or EU?


Am 31.10.14 15:15, schrieb ghostrider:
>
> Tony T wrote:
>> The "500 SSL negotiation failed" was fixed for me 2 days ago, but today
>> I'm getting "500 Can't connect to direct.rhapsody.com:443"
>>
>> edit: Tim beat me to it :)
>
> Me too. Worked for several days but died this morning. :(
>
>
> ------------------------------------------------------------------------
> ghostrider's Profile: http://forums.slimdevices.com/member.php?userid=18959
> View this thread: http://forums.slimdevices.com/showthread.php?t=102304
>
>

ghostrider
2014-10-31, 08:05
thanks for the heads-up, guys! Are you in the us or eu?


Am 31.10.14 15:15, schrieb ghostrider:
>
> tony t wrote:
>> the "500 ssl negotiation failed" was fixed for me 2 days ago, but today
>> i'm getting "500 can't connect to direct.rhapsody.com:443"
>>
>> edit: Tim beat me to it :)
>
> me too. Worked for several days but died this morning. :(
>
>
> ------------------------------------------------------------------------
> ghostrider's profile: http://forums.slimdevices.com/member.php?userid=18959
> view this thread: http://forums.slimdevices.com/showthread.php?t=102304
>
>


us.

mherger
2014-10-31, 08:15
> us.

Do you still see this problem?

--

Michael

t-chok
2014-10-31, 08:22
Hi Michael,

I'm in the U.S. I just tried it again after your reply, and it is working again... I'm able to access My Library. Thanks a ton for your quick fix -- Much appreciated!!

Tim

mherger
2014-10-31, 08:32
> I'm in the U.S. I just tried it again after your reply, and it is
> working again... I'm able to access My Library.

Great! Thanks for the testing.

--

Michael

ghostrider
2014-10-31, 08:54
> us.

Do you still see this problem?

--

Michael

It's working now. :D

hejda
2014-10-31, 09:32
I am currently getting a very similar error message when trying to connect to Spotify from my Squeezebox radio in Europe:


500 Can't connect to 194.132.196.212:443 (certificate verify failed)

The problem started today - it was working fine yesterday. I've tried all the usual restarts/playing with plugins etc.

Seeing the problems above I wondered if it might be something similar. Even if it's not, any help would be appreciated :p

csccsc
2014-10-31, 10:11
I got this error on all of my 3 Squeezboxes (2 x Touch, 1 x Radio) with Spotify: "500 Can't connect to 194.132.198.244:443 (certificate verify failed)".
Just as I am typing this it started to work again.
Whoever did whatever to fix it - thx!

mherger
2014-10-31, 10:22
> Just as I am typing this it started to work again.

Thanks for the testing :-).

--

Michael

Tony T
2014-10-31, 10:45
Working (in the U.S.)
Thanks for the quick response :) :)

hejda
2014-10-31, 10:53
> Just as I am typing this it started to work again.

Thanks for the testing :-).

--

Michael

And it's working for me too.

Time taken: from finding the forum, registering, posting the problem to a solution - just over one hour.

Now that's what I call support. Thank you very much indeed!