Roon ARC fails due to SSL error

Rune_Engseth · August 1, 2023, 4:09pm

Roon Core Machine

Mac OSX Monterey
MacBook Pro Mid 2015
2,5 GHz 4 Intel Core i7
16 GB 1600 MHz DDR3

Networking Gear & Setup Details

Modem from ISP - Huawei HG8245H
Apple AirPort Extreme in Bridge mode
Using WIFI through apple router for core
No VPN

Description of Issue

New to Roon, trying to enable ARC.
I have enabled upnp

Upon testing to connection, I get the following error, which seems to indicate openssl error 70, which makes we suspect the client is using a not-supported protocol. (version conflicts?)

{

"ipv4_connectivity": {"status":"NetworkError","status_code":502,"error":"error: Error: write EPROTO 140073307170624:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1536:SSL alert number 70\n, response code: undefined, body: undefined"},

"external_ip": {"actual_external_ip":"178.aaa.bbb.ccc","actual_external_ipv6":"null","router_external_ip":"178.aaa.bbb.ccc"},

"natpmp_autoconfig": {"status":"NotFound"},

"upnp_autoconfig": {"server_ip":"192.168.100.1","found_upnp":true}

}

I also ran
openssl s_client -connect 192.168.100.13:55000 -tls1_2

which yielded

openssl s_client -connect 192.168.100.13:55000 -tls1_2
CONNECTED(00000003)
4733437612:error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 70
4733437612:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1690905814
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

so it seems to connect successfully, but somethings fishy with the certificates.

And when reading the last errormessage, you can see that it is libreSSL that is used, version 2.8, which I suspect is bundled with Mac OS?

Help appreciated to resolve this.

On a sidenote.
This is not exactly straight forward, and giving such problems to non-tech people probably causes a lot a frustrations. Only my two pennies worth…

Kjeld_Kerssemeeckers · August 2, 2023, 12:04pm

I can replicate the exact same error. I’m on Mac OS Ventura. However, there seems to be a workaround.

Press the “reset” next to the port number in Roon, and wait for the UI to come back with a new port number. E.g. 55002 in my case.
Test again on the new port number with openssl. See below.
Adjust your firewall setup to use the new port.
Test again in Roon. ARC should now work (did for me)

% openssl s_client -connect localhost:55002 -tls1_2
CONNECTED(00000005)
depth=0 C = US, ST = NY, L = NYC, O = Roon Labs LLC, CN = RoonBroker, emailAddress = support@roonlabs.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = NY, L = NYC, O = Roon Labs LLC, CN = RoonBroker, emailAddress = support@roonlabs.com
verify error:num=21:unable to verify the first certificate
verify return:1
write W BLOCK
---
Certificate chain
 0 s:/C=US/ST=NY/L=NYC/O=Roon Labs LLC/CN=RoonBroker/emailAddress=support@roonlabs.com
   i:/C=US/ST=NY/L=NYC/O=Roon Labs LLC/CN=RoonCA/emailAddress=support@roonlabs.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFzzCCA7egAwIBAgIUETWAxOBE89NJ3ch0YOFgwC1YKLAwDQYJKoZIhvcNAQEL
BQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQwwCgYDVQQHDANOWUMxFjAU
BgNVBAoMDVJvb24gTGFicyBMTEMxDzANBgNVBAMMBlJvb25DQTEjMCEGCSqGSIb3
DQEJARYUc3VwcG9ydEByb29ubGFicy5jb20wHhcNMjEwNDAxMTkyODI5WhcNMjMw
NzA1MTkyODI5WjB6MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxDDAKBgNVBAcM
A05ZQzEWMBQGA1UECgwNUm9vbiBMYWJzIExMQzETMBEGA1UEAwwKUm9vbkJyb2tl
cjEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEByb29ubGFicy5jb20wggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQChzpfiSXX0yZz7DsEZj+soeQxNlskWmsBT
xDuC9bpcGdy7DoNfrCCC4T0rJAM4SIekvRcRyFNOfTLvwwge7KJHZ8pfdYmO2+ZN
QBqRCjoejKzLL4dw2jmX29wUtS0VGpxYXYFE7OVL3A5kokGLbgcCoo3SrW87CmZL
PexirblZ28t7frWNLVvlXOK+bQgo8QYKrRmrfy4AS2OXrIcB1wCdrZ62h6lpvSLJ
0VMoivSEXwjZ1YzJyGi2K1qVVU34Rwzb6SW+pr7IeI/bTPEzZ6Veg7T8guPVlf40
tGr2IWtp/+7N2+c47K9JIOgiqQ1Ia6Ov07pFiEwc39qv8E+QOXtL3toYBu6hrJRq
Kj7PEmeQNaKxMhtKUqDBDATw0yKt7DGxvxbk8AbktzOlGKxOzCXDYi/vinyh8FOv
rKGC0ubN8hNmm7vaxh0v7ryVJy4XG5k2z+wwQ/OtnTojUq1ZnBV4Bg+o3EI3UYTL
TvH3osu/t2lymn2cAm0dvOsordrn1B4mETN0yWvU81prPPbTdxFJ2tqWxWgllbk+
bbQYB2mmYGnjJ33jB5wwm/Isz7Fr28QxVL+d7wWHdGc9UreNGuAJvUalqQbsHbbX
utUhQdjRx8lYzEYsaOQ3mWnxb/QLCDRPkrcsmmHOWP2lLD8AuouzrtplgWkmmcMb
G313ReEGhQIDAQABo1EwTzAfBgNVHSMEGDAWgBRseS7Ry/2+yZ3QMNfYLesZADoC
pzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAUBgNVHREEDTALgglsb2NhbGhvc3Qw
DQYJKoZIhvcNAQELBQADggIBAHyOQNo0LCM9tth+38cZSQ2AyWwBSrnNxKTmzVXi
s+fv/aKqGk787ccxJMjOkxe/4Ih+jAdtkCvQ0a6VFG5W1WD3MbScuIAXBinSC000
WNJjl+cDYsYTG493XsF93Je22lEqrwdl665Vk46qepzNb0DQg1Fx2o7nQewNciui
y2vwPlCo8BGfQNpn1l/Q+AfrVwJFUtsEy7NBo24xCMQn/OS4/V68L2ZlbV6o9GoF
pO7IOtSxg2ef8h27v1jCryLaf9mNYuRdzN74gF5qrUylXpaQQwIO6JrsWmqiy/Pj
gg5dr6B5mQFjSLi4rSh2msRq9p8g4x1QXWVFRpKMRPZ+SSxO1fH/Hjke0gckBj2U
VRYikIaQX1mBSM7qQRAHwogGSW5RaHx6R65wQLwn8CBQYlpSlUTOaa1rByj6If/6
va1tm4d5Ti/zMyuTEauMBTrxVKsh398z3YdR8sQV3xzma4QsuuF2qa0/WcWhJvA5
SUuHgLgsWEAH+LNpsYAKGTRjFR7+Jcb226ZcuiVLXm2+CUvrvJU5SpqHQjfmdcS9
MB1FIWgvI9HZj2IN+uzxa3BYkdtRKQroKeSRVdienb+1K1H4L9G0wWot5g8uZR2O
kpgiomyq58SybMx7mElNV3pytvgJfO6cZm+plpyYnKhg0sx0By9zsPhbambaQqzu
9ty/
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=NYC/O=Roon Labs LLC/CN=RoonBroker/emailAddress=support@roonlabs.com
issuer=/C=US/ST=NY/L=NYC/O=Roon Labs LLC/CN=RoonCA/emailAddress=support@roonlabs.com
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2246 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D6AC96E02D05F99227FDE3B93A275DD9BD6F37806C9F36B41C46DCFB56A09015
    Session-ID-ctx: 
    Master-Key: 32A23AED0CC67B1D4DDDAE341798D5A5D775BEA58E415ABD4B0C0DDE9711D7B9B5F52B69889942BFEBD762BEC4ED848B
    Start Time: 1690977227
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Rune_Engseth · August 2, 2023, 2:25pm

This trick fixed it.
Did not have to go through the other steps
Thanks

Rune_Engseth · August 3, 2023, 7:57am

Just curious, what steps did you take to reproduce it?

Kjeld_Kerssemeeckers · August 4, 2023, 7:07am

I filled in a port number, let the ARC connection test fail, and then did the openssl test.
Just tried again, but now I can’t reproduce it anymore. Weird.

system · August 5, 2023, 7:08pm

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.