ERROR: [tls @ 0x7f4e51cc4080] error:00000000:lib(0):func(0):reason(0) about static-ffmpeg HOT 14 CLOSED

Did figure what was the problem?

from static-ffmpeg.

Hello, that is strange. The same command seems to work for me. Could there be some proxy in between etc?

Maybe try running with -v trace or if possible try with curl or openssl s_client -connect d1ig0cm8p7wvah.cloudfront.net:443 from the host or from within a container and see what happens.

$ docker run --entrypoint /ffprobe mwader/static-ffmpeg:4.4.0 -show_packets -read_intervals %+5 -print_format json -i https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8
ffprobe version 4.4 Copyright (c) 2007-2021 the FFmpeg developers
  built with gcc 10.2.1 (Alpine 10.2.1_pre1) 20201203
  configuration: --pkg-config-flags=--static --extra-cflags=-fopenmp --extra-ldflags=-fopenmp --extra-libs=-lstdc++ --toolchain=hardened --disable-debug --disable-shared --disable-ffplay --enable-static --enable-gpl --enable-gray --enable-nonfree --enable-openssl --enable-iconv --enable-libxml2 --enable-libmp3lame --enable-libfdk-aac --enable-libvorbis --enable-libopus --enable-libtheora --enable-libvpx --enable-libx264 --enable-libx265 --enable-libwebp --enable-libspeex --enable-libaom --enable-libvidstab --enable-libkvazaar --enable-libfreetype --enable-fontconfig --enable-libfribidi --enable-libass --enable-libzimg --enable-libsoxr --enable-libopenjpeg --enable-libdav1d --enable-libxvid --enable-librav1e --enable-libsrt --enable-libsvtav1 --enable-libdavs2 --enable-libxavs2 --enable-libvmaf
  libavutil      56. 70.100 / 56. 70.100
  libavcodec     58.134.100 / 58.134.100
  libavformat    58. 76.100 / 58. 76.100
  libavdevice    58. 13.100 / 58. 13.100
  libavfilter     7.110.100 /  7.110.100
{
  libswscale      5.  9.100 /  5.  9.100
  libswresample   3.  9.100 /  3.  9.100
  libpostproc    55.  9.100 / 55.  9.100
[hls @ 0x7ff78b683080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x7ff78b683080] Skip ('#EXT-X-INDEPENDENT-SEGMENTS')
[hls @ 0x7ff78b683080] Opening 'https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index_1.m3u8' for reading
[hls @ 0x7ff78b683080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x7ff78b683080] Skip ('#EXT-X-DISCONTINUITY-SEQUENCE:2')
[hls @ 0x7ff78b683080] Skip ('#EXT-X-DISCONTINUITY')
[hls @ 0x7ff78b683080] Opening 'https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index_1_33.ts?m=1629776364' for reading
[hls @ 0x7ff78b683080] Opening 'https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index_1_34.ts?m=1629776364' for reading
Input #0, hls, from 'https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8':
  Duration: 00:00:30.00, start: 70.369333, bitrate: 0 kb/s
  Program 0
    Metadata:
      variant_bitrate : 1818044
  Stream #0:0: Video: h264 (Main) ([27][0][0][0] / 0x001B), yuv420p(tv, bt470bg/unknown/unknown), 640x480 [SAR 4:3 DAR 16:9], 30 fps, 30 tbr, 90k tbn, 60 tbc
    Metadata:
      variant_bitrate : 1818044
  Stream #0:1: Audio: aac (LC) ([15][0][0][0] / 0x000F), 48000 Hz, stereo, fltp
    Metadata:
      variant_bitrate : 1818044
  Stream #0:2: Data: scte_35
    Metadata:
      variant_bitrate : 1818044
  Stream #0:3: Data: timed_id3 (ID3  / 0x20334449)
    Metadata:
      variant_bitrate : 1818044
    "packets": [
        {
            "codec_type": "video",
            "stream_index": 0,
            "pts": 6333240,
            "pts_time": "70.369333",
            "dts": 6327240,
            "dts_time": "70.302667",
            "size": "37703",
            "pos": "376",
            "flags": "K_",
            "side_data_list": [
                {
                    "side_data_type": "MPEGTS Stream ID"
                }
            ]
        },
        {
...

from static-ffmpeg.

It probably related to the 'x-amz-cf-pop'(the value is region) in the header of url. The error appears when x-amz-cf-pop is SIN52-C2, and now the x-amz-cf-pop is HKG60-C1.

from static-ffmpeg.

Here is the failed trace info. But version 3.4.2 can work the same time.

[rokey.luo@rokey ~ % docker run -v /Users/rokey.luo/code/wpm/wpm-pdv:/wpm-pdv -w /wpm-pdv --entrypoint /ffprobe mwader/static-ffmpeg:4.4.0 -v trace -show_packets -read_intervals %+5 -print_format json -i https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8 > output
ffprobe version 4.4 Copyright (c) 2007-2021 the FFmpeg developers
built with gcc 10.2.1 (Alpine 10.2.1_pre1) 20201203
configuration: --pkg-config-flags=--static --extra-cflags=-fopenmp --extra-ldflags=-fopenmp --extra-libs=-lstdc++ --toolchain=hardened --disable-debug --disable-shared --disable-ffplay --enable-static --enable-gpl --enable-gray --enable-nonfree --enable-openssl --enable-iconv --enable-libxml2 --enable-libmp3lame --enable-libfdk-aac --enable-libvorbis --enable-libopus --enable-libtheora --enable-libvpx --enable-libx264 --enable-libx265 --enable-libwebp --enable-libspeex --enable-libaom --enable-libvidstab --enable-libkvazaar --enable-libfreetype --enable-fontconfig --enable-libfribidi --enable-libass --enable-libzimg --enable-libsoxr --enable-libopenjpeg --enable-libdav1d --enable-libxvid --enable-librav1e --enable-libsrt --enable-libsvtav1 --enable-libdavs2 --enable-libxavs2 --enable-libvmaf
libavutil 56. 70.100 / 56. 70.100
libavcodec 58.134.100 / 58.134.100
libavformat 58. 76.100 / 58. 76.100
libavdevice 58. 13.100 / 58. 13.100
libavfilter 7.110.100 / 7.110.100
libswscale 5. 9.100 / 5. 9.100
libswresample 3. 9.100 / 3. 9.100
libpostproc 55. 9.100 / 55. 9.100
Parsed log interval id:0 start:N/A end:+5
[NULL @ 0x7fa2d0e85080] Opening 'https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8' for reading
[https @ 0x7fa2d0e85940] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x7fa2d0e84180] Original list of addresses:
[tcp @ 0x7fa2d0e84180] Address 13.224.250.94 port 443
[tcp @ 0x7fa2d0e84180] Address 13.224.250.101 port 443
[tcp @ 0x7fa2d0e84180] Address 13.224.250.188 port 443
[tcp @ 0x7fa2d0e84180] Address 13.224.250.199 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:3000:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:9a00:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:5a00:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:5c00:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:8a00:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:b200:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:c200:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:9200:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Interleaved list of addresses:
[tcp @ 0x7fa2d0e84180] Address 13.224.250.94 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:3000:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 13.224.250.101 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:9a00:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 13.224.250.188 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:5a00:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 13.224.250.199 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:5c00:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:8a00:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:b200:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:c200:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Address 2600:9000:21b4:9200:12:60b4:5a40:21 port 443
[tcp @ 0x7fa2d0e84180] Starting connection attempt to 13.224.250.94 port 443
[tcp @ 0x7fa2d0e84180] Successfully connected to 13.224.250.94 port 443
[https @ 0x7fa2d0e85940] request: GET /out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8 HTTP/1.1
User-Agent: Lavf/58.76.100
Accept: /
Range: bytes=0-
Connection: close
Host: d1ig0cm8p7wvah.cloudfront.net
Icy-MetaData: 1

[tls @ 0x7fa2d0e84080] error:00000000:lib(0):func(0):reason(0)
https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8: I/O error

from static-ffmpeg.

You mean static-ffmpeg 3.4.2? Could you try using docker image alpine:3.14.1 and test curl or openssl s_client? that is what static-ffmpeg is based so should have the same certificates and openssl version etc

from static-ffmpeg.

Indeed, I have tried docker image alpine:3.14.1 and curl, it may fail sometimes.

/ # curl https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
/ # curl https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8 -v

• Trying 13.224.250.188:443...
• Connected to d1ig0cm8p7wvah.cloudfront.net (13.224.250.188) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS alert, unknown CA (560):
• SSL certificate problem: self signed certificate in certificate chain
• Closing connection 0
  curl: (60) SSL certificate problem: self signed certificate in certificate chain
  More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

from static-ffmpeg.

Ok that might be a hint, strangely i think ffmpeg default configures it's TLS implementations to not verify, and you have to use -tls_verify 1 -ca_file /path/to/cert.pem to make it do it, but it could have changed? how does curl react if you use --insecure does it also fail with IO error after sending the request?

from static-ffmpeg.

I just tried curl --insecure and returns 'Empty reply', it seems that the content can't be got under insecure mode..
But content could be got in successful situation.
So what is the difference about alpine, between static-ffmpeg 3.4.2 with static-ffmpeg 4.4.0?

/ # curl https://d1ig0cm8p7wvah.cloudfront.net/out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8 -v --insecure

• Trying 13.224.250.101:443...
• Connected to d1ig0cm8p7wvah.cloudfront.net (13.224.250.101) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server did not agree to a protocol
• Server certificate:
• subject: CN=d1ig0cm8p7wvah.cloudfront.net
• start date: Aug 18 09:25:58 2021 GMT
• expire date: Oct 20 09:25:58 2021 GMT
• issuer: CN=Cato Networks server shectcatod2
• SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

GET /out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8 HTTP/1.1
Host: d1ig0cm8p7wvah.cloudfront.net
User-Agent: curl/7.78.0
Accept: /

• Empty reply from server
• Closing connection 0
• TLSv1.3 (OUT), TLS alert, close notify (256):
  curl: (52) Empty reply from server

from static-ffmpeg.

Hi, sorry for late reply. If it happens with curl also then my gut feeling is that this unrelated to ffmpeg itself, and instead something to do with changes to openssl between the alpine versions use dot build 3.4.2 and 4.4. Maybe can try narrow it down even more by trying to use openssl s_client?

from static-ffmpeg.

4.4 was built with alpine:3.13.4, 3.4.2 with alpine:3.13.2 it seems.

from static-ffmpeg.

Here is how to do a http request using s_client:

echo -ne "GET /out/v1/540579958c1e4bebb276595a7f8cb23e/index.m3u8 HTTP/1.1\r\nHost: d1ig0cm8p7wvah.cloudfront.net\r\n\r\n" | openssl s_client -quiet -connect d1ig0cm8p7wvah.cloudfront.net:443

from static-ffmpeg.

I have tried add openssl in my alpine image, and curl will succeed every times.
So I can't catch error message by using openssl s_client. I wonder if it is because lack of openssl causes that failure.

dockerfile-myalipne:1.0 failed
FROM alpine:3.7 RUN apk add --update curl && rm -rf /var/cache/apk/*

dockerfile-myalipne:2.0 succeed
FROM alpine:3.7 RUN apk add --update curl && apk add --no-cache openssl && rm -rf /var/cache/apk/*

from static-ffmpeg.

So adding the openssl package makes the difference? i had look at with that package contains https://pkgs.alpinelinux.org/contents?branch=v3.7&name=openssl&arch=armhf&repo=main only file that looks interesting is openssl.cnf i think. Try rename it temporary and test? Does it make a difference testing with later version of alpine?

from static-ffmpeg.

@QQsilhonette close?

from static-ffmpeg.