WebHooks via HTTPS not working (SNI issue?)

Sonarr version 2.0.0.4323:
Mono version 4.0.4:
Mac OS X 10.11.6:
((Debug logs)):

16-9-12 22:07:40.6|Fatal|NzbDroneErrorPipeline|Request Failed

[v2.0.0.4323] System.Net.WebException: Error: SendFailure (Error writing headers) ---> System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00013] in /private/tmp/source-mono-mac-4.0.0-bug-33585-hotfix/bockbuild-mono-4.0.0-branch/profiles/mono-mac-xamarin/build-root/mono-4.0.4/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:574 
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x000d0] in /private/tmp/source-mono-mac-4.0.0-bug-33585-hotfix/bockbuild-mono-4.0.0-branch/profiles/mono-mac-xamarin/build-root/mono-4.0.4/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:376 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00035] in /private/tmp/source-mono-mac-4.0.0-bug-33585-hotfix/bockbuild-mono-4.0.0-branch/profiles/mono-mac-xamarin/build-root/mono-4.0.4/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:425 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x0000c] in /private/tmp/source-mono-mac-4.0.0-bug-33585-hotfix/bockbuild-mono-4.0.0-branch/profiles/mono-mac-xamarin/build-root/mono-4.0.4/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:99 
  --- End of inner exception stack trace ---
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetRequestStream (IAsyncResult asyncResult) [0x00045] in /private/tmp/source-mono-mac-4.0.0-bug-33585-hotfix/bockbuild-mono-4.0.0-branch/profiles/mono-mac-xamarin/build-root/mono-4.0.4/mcs/class/System/System.Net/HttpWebRequest.cs:829 
  at System.Net.HttpWebRequest.GetRequestStream () [0x00057] in /private/tmp/source-mono-mac-4.0.0-bug-33585-hotfix/bockbuild-mono-4.0.0-branch/profiles/mono-mac-xamarin/build-root/mono-4.0.4/mcs/class/System/System.Net/HttpWebRequest.cs:845 
  at RestSharp.Http.WriteRequestBody (System.Net.HttpWebRequest webRequest) [0x00000] in <filename unknown>:0 
  at RestSharp.Http.PostPutInternal (System.String method) [0x00000] in <filename unknown>:0 
  at RestSharp.Http.AsPost (System.String httpMethod) [0x00000] in <filename unknown>:0 
  at RestSharp.RestClient.DoExecuteAsPost (IHttp http, System.String method) [0x00000] in <filename unknown>:0 
  at RestSharp.RestClient.Execute (IRestRequest request, System.String httpMethod, System.Func`3 getResponse) [0x00000] in <filename unknown>:0 

Description of issue:

Sonarr throws the above exception when trying to call a WebHook via HTTPS (I’m trying to connect it to a Huginn install).

The server in question has Huginn reverse proxied behind nginx 1.11.1 with the following SSL options:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

The SSL certificate is from Let’s Encrypt and was issued on 9th September.

The WebHook works perfectly with Sonarr via HTTP, just not HTTPS.

Other programs, like cURL or Paw.app (and other native Mac applications) can call the WebHook just fine. ssllabs.com also tells me that nginx is set up quite correctly (and indeed, I haven’t had any issues with any other software connecting to the server).

I’m afraid I’m completely clueless when it comes to C# and mono :confused:

My (mostly baseless) assumption is that mono doesn’t support SNI? Sonarr doesn’t appear to have any problems connecting to other HTTPS URLs.

Does anyone know what the problem is? Do I need to enable a different cipher? I’d really like to use HTTPS.

mono doesn’t support a whole lot of strong ciphers, such as EC (Elliptic Curve). Sonarr does try to fall back to libcurl however.
You should enable trace level logs, restart sonarr (don’t forget that), and retry. The logs will contain it’s attempt to load libcurl.
Alternative would be to be a little bit less strict on your ssl_ciphers.

1 Like

Thanks for the reply.

Oops, that’s why I wasn’t getting the log messages.

I’ve done a bit of testing this morning. If I tell Sonarr to pull an RSS feed from the server, it works as you describe. I see a “TLS error, trying curl fallback” message, and the request succeeds.

In the case of a webhook, however, there’s no fallback message, just a straight exception (as above) and the request fails.

Ah, yeah, right, coz webhook/connect still uses another http client that doesn’t fall back. @markus101!

1 Like

Ahh right, time to convert notifications.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.