Roon ARC fails due to SSL error

Roon Core Machine

Mac OSX Monterey
MacBook Pro Mid 2015
2,5 GHz 4 Intel Core i7
16 GB 1600 MHz DDR3

Networking Gear & Setup Details

Modem from ISP - Huawei HG8245H
Apple AirPort Extreme in Bridge mode
Using WIFI through apple router for core
No VPN

Description of Issue

New to Roon, trying to enable ARC.
I have enabled upnp

Upon testing to connection, I get the following error, which seems to indicate openssl error 70, which makes we suspect the client is using a not-supported protocol. (version conflicts?)

{

"ipv4_connectivity": {"status":"NetworkError","status_code":502,"error":"error: Error: write EPROTO 140073307170624:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1536:SSL alert number 70\n, response code: undefined, body: undefined"},

"external_ip": {"actual_external_ip":"178.aaa.bbb.ccc","actual_external_ipv6":"null","router_external_ip":"178.aaa.bbb.ccc"},

"natpmp_autoconfig": {"status":"NotFound"},

"upnp_autoconfig": {"server_ip":"192.168.100.1","found_upnp":true}

}

I also ran
openssl s_client -connect 192.168.100.13:55000 -tls1_2

which yielded

openssl s_client -connect 192.168.100.13:55000 -tls1_2
CONNECTED(00000003)
4733437612:error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 70
4733437612:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1690905814
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

so it seems to connect successfully, but somethings fishy with the certificates.

And when reading the last errormessage, you can see that it is libreSSL that is used, version 2.8, which I suspect is bundled with Mac OS?

Help appreciated to resolve this.

On a sidenote.
This is not exactly straight forward, and giving such problems to non-tech people probably causes a lot a frustrations. Only my two pennies worth…

I can replicate the exact same error. I’m on Mac OS Ventura. However, there seems to be a workaround.

  • Press the “reset” next to the port number in Roon, and wait for the UI to come back with a new port number. E.g. 55002 in my case.
  • Test again on the new port number with openssl. See below.
  • Adjust your firewall setup to use the new port.
  • Test again in Roon. ARC should now work (did for me)
% openssl s_client -connect localhost:55002 -tls1_2
CONNECTED(00000005)
depth=0 C = US, ST = NY, L = NYC, O = Roon Labs LLC, CN = RoonBroker, emailAddress = support@roonlabs.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = NY, L = NYC, O = Roon Labs LLC, CN = RoonBroker, emailAddress = support@roonlabs.com
verify error:num=21:unable to verify the first certificate
verify return:1
write W BLOCK
---
Certificate chain
 0 s:/C=US/ST=NY/L=NYC/O=Roon Labs LLC/CN=RoonBroker/emailAddress=support@roonlabs.com
   i:/C=US/ST=NY/L=NYC/O=Roon Labs LLC/CN=RoonCA/emailAddress=support@roonlabs.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFzzCCA7egAwIBAgIUETWAxOBE89NJ3ch0YOFgwC1YKLAwDQYJKoZIhvcNAQEL
BQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQwwCgYDVQQHDANOWUMxFjAU
BgNVBAoMDVJvb24gTGFicyBMTEMxDzANBgNVBAMMBlJvb25DQTEjMCEGCSqGSIb3
DQEJARYUc3VwcG9ydEByb29ubGFicy5jb20wHhcNMjEwNDAxMTkyODI5WhcNMjMw
NzA1MTkyODI5WjB6MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxDDAKBgNVBAcM
A05ZQzEWMBQGA1UECgwNUm9vbiBMYWJzIExMQzETMBEGA1UEAwwKUm9vbkJyb2tl
cjEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEByb29ubGFicy5jb20wggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQChzpfiSXX0yZz7DsEZj+soeQxNlskWmsBT
xDuC9bpcGdy7DoNfrCCC4T0rJAM4SIekvRcRyFNOfTLvwwge7KJHZ8pfdYmO2+ZN
QBqRCjoejKzLL4dw2jmX29wUtS0VGpxYXYFE7OVL3A5kokGLbgcCoo3SrW87CmZL
PexirblZ28t7frWNLVvlXOK+bQgo8QYKrRmrfy4AS2OXrIcB1wCdrZ62h6lpvSLJ
0VMoivSEXwjZ1YzJyGi2K1qVVU34Rwzb6SW+pr7IeI/bTPEzZ6Veg7T8guPVlf40
tGr2IWtp/+7N2+c47K9JIOgiqQ1Ia6Ov07pFiEwc39qv8E+QOXtL3toYBu6hrJRq
Kj7PEmeQNaKxMhtKUqDBDATw0yKt7DGxvxbk8AbktzOlGKxOzCXDYi/vinyh8FOv
rKGC0ubN8hNmm7vaxh0v7ryVJy4XG5k2z+wwQ/OtnTojUq1ZnBV4Bg+o3EI3UYTL
TvH3osu/t2lymn2cAm0dvOsordrn1B4mETN0yWvU81prPPbTdxFJ2tqWxWgllbk+
bbQYB2mmYGnjJ33jB5wwm/Isz7Fr28QxVL+d7wWHdGc9UreNGuAJvUalqQbsHbbX
utUhQdjRx8lYzEYsaOQ3mWnxb/QLCDRPkrcsmmHOWP2lLD8AuouzrtplgWkmmcMb
G313ReEGhQIDAQABo1EwTzAfBgNVHSMEGDAWgBRseS7Ry/2+yZ3QMNfYLesZADoC
pzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAUBgNVHREEDTALgglsb2NhbGhvc3Qw
DQYJKoZIhvcNAQELBQADggIBAHyOQNo0LCM9tth+38cZSQ2AyWwBSrnNxKTmzVXi
s+fv/aKqGk787ccxJMjOkxe/4Ih+jAdtkCvQ0a6VFG5W1WD3MbScuIAXBinSC000
WNJjl+cDYsYTG493XsF93Je22lEqrwdl665Vk46qepzNb0DQg1Fx2o7nQewNciui
y2vwPlCo8BGfQNpn1l/Q+AfrVwJFUtsEy7NBo24xCMQn/OS4/V68L2ZlbV6o9GoF
pO7IOtSxg2ef8h27v1jCryLaf9mNYuRdzN74gF5qrUylXpaQQwIO6JrsWmqiy/Pj
gg5dr6B5mQFjSLi4rSh2msRq9p8g4x1QXWVFRpKMRPZ+SSxO1fH/Hjke0gckBj2U
VRYikIaQX1mBSM7qQRAHwogGSW5RaHx6R65wQLwn8CBQYlpSlUTOaa1rByj6If/6
va1tm4d5Ti/zMyuTEauMBTrxVKsh398z3YdR8sQV3xzma4QsuuF2qa0/WcWhJvA5
SUuHgLgsWEAH+LNpsYAKGTRjFR7+Jcb226ZcuiVLXm2+CUvrvJU5SpqHQjfmdcS9
MB1FIWgvI9HZj2IN+uzxa3BYkdtRKQroKeSRVdienb+1K1H4L9G0wWot5g8uZR2O
kpgiomyq58SybMx7mElNV3pytvgJfO6cZm+plpyYnKhg0sx0By9zsPhbambaQqzu
9ty/
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=NYC/O=Roon Labs LLC/CN=RoonBroker/emailAddress=support@roonlabs.com
issuer=/C=US/ST=NY/L=NYC/O=Roon Labs LLC/CN=RoonCA/emailAddress=support@roonlabs.com
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2246 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D6AC96E02D05F99227FDE3B93A275DD9BD6F37806C9F36B41C46DCFB56A09015
    Session-ID-ctx: 
    Master-Key: 32A23AED0CC67B1D4DDDAE341798D5A5D775BEA58E415ABD4B0C0DDE9711D7B9B5F52B69889942BFEBD762BEC4ED848B
    Start Time: 1690977227
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

This trick fixed it.
Did not have to go through the other steps
Thanks

Just curious, what steps did you take to reproduce it?

I filled in a port number, let the ARC connection test fail, and then did the openssl test.
Just tried again, but now I can’t reproduce it anymore. Weird.

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.