[friDay Video] Max retries exceeded with url... (caused by SSL error)

[CrymanChen]

Hey guys, video URL here:

Code:

https://video.friday.tw/drama/detail/2275/%E5%8B%BF%E8%AA%AA%E6%98%AF%E6%8E%A8%E7%90%86-%E7%AC%AC1%E9%9B%86?episode=75761&index=1

Free video clip with Taiwan IP needed.
I just ran into this problem that, when I was trying to send a POST request, it always returned this error:

Code:

urllib3.exceptions.SSLError: [SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:1006)

requests.exceptions.SSLError: HTTPSConnectionPool(host='widevine.video.friday.tw', port=443): Max retries exceeded with url: /?deviceId=Mzg4....NGNk (Caused by SSLError(SSLError(1, '[SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:1006)')))

I have connected to my Taiwan IP already, and it went normal on my Chrome browser, but this error always showed up when using Python.
I thought it was something to do with my Internet, so I restarted my laptop as well as my Wi-Fi, and also my proxy.
Then I tried with some other sites, but the situations were pretty well, with keys being retrieved quickly.
And I used curl to duplicate this request:

Code:

curl -X POST "https://widevine.video.friday.tw/?deviceId=Mzg4....NGNk" --data "abc"

and an HTTP 500 returned so it's not like the Internet connection is bad or something else, it seems like the error happens only in this site.

So would anyone be willing to help me?

[CrymanChen]

P.S. I also went to some online sites like getwvkeys to do this test, as I found out that only this deviceId parameter is crucial, and the license server won't authenticate other params.
And it was also normal, no key-value pairs in the headers. (And then I deleted all the headers in my Python script but it didn't work.)

[Attachment 74989 - Click to enlarge]

[yawoo]

I also encounter the same SSL connection problem of friDay recently. Finally I follow the shorter version of the solution in this link https://stackoverflow.com/a/69580908 and it resolve the connection issue.

[CrymanChen]

I also encounter the same SSL connection problem of friDay recently. Finally I follow the shorter version of the solution in this link https://stackoverflow.com/a/69580908 and it resolve the connection issue.

I'm a bit confused about the role these codes play in. But is this the right way?

Code:

import requests
import ssl

url = 'https://widevine.video.friday.tw/'

class TLSAdapter(requests.adapters.HTTPAdapter):

    def init_poolmanager(self, *args, **kwargs):
        ctx = ssl.create_default_context()
        ctx.set_ciphers('DEFAULT@SECLEVEL=1')
        kwargs['ssl_context'] = ctx
        return super(TLSAdapter, self).init_poolmanager(*args, **kwargs)

session = requests.session()
session.mount('https://', TLSAdapter())
res = session.post(url)
print(res)

I changed the 'res = session.get(url)' to 'res = session.post(url)'

[yawoo]

Right, place the related coding in your l3.py. Just like below.

Code:

...
import ssl

class TLSAdapter(requests.adapters.HTTPAdapter):

  def init_poolmanager(self, *args, **kwargs):
     ctx = ssl.create_default_context()
     ctx.set_ciphers('DEFAULT@SECLEVEL=1')
     kwargs['ssl_context'] = ctx
     return super(TLSAdapter, self).init_poolmanager(*args, **kwargs)


def WV_Function(pssh, lic_url, cert_b64=None):
    wvdecrypt = WvDecrypt(init_data_b64=pssh, cert_data_b64=cert_b64, device=deviceconfig.device_android_generic)
    session = requests.session()
    session.mount('https://', TLSAdapter())
    widevine_license = session.post(url=lic_url, data=wvdecrypt.get_challenge(), headers=headers)
    .....

[shellcmd]

thank you @yawoo , it works perfect !

[Obo]

I wonder if this is a problem with the old WVKEYS implementation, or if this happens with the official pywidevine module as well?

[CrymanChen]

I wonder if this is a problem with the old WVKEYS implementation, or if this happens with the official pywidevine module as well?

I have tried with different tools including WKS-KEYS (protobuf==3.19.5) and pywidevine (latest protobuf).
But after following the @yawoo code, I still couldn't fix this problem.

[shellcmd]

oh no , @Obo what you said is right. and i just tested this tile

Code:

https://video.friday.tw/drama/detail/3190/%E7%94%B7%E6%89%AE%E5%A5%B3%E8%A3%9D%E5%AE%B6%E6%94%BF%E5%A9%A6-%E7%AC%AC6%E5%AD%A3-%E7%AC%AC1%E9%9B%86?episode=99359&index=1

with new pywidevine(1.5.3), just input pssh and license url, no header needed, it worked.no ssl problem.

[Attachment 75014 - Click to enlarge]

[yawoo]

From my understand, this issue is due to SSL/TLS connection. The client (Python use openssl with higher security level) initiate TLS connection to the server (with lower security level). Both sides cannot negotiate the same set of cipher to start the connection eventually. The provided coding is to lower the security level of client side. Alternatively, if you could use the older version of openssl, it may connect without issue.

[yawoo]

Using below link, it can check what cipher suites are supported by the target site. Your Python client (openssl) should support one set of these cipher suites.

https://www.ssllabs.com/ssltest/analyze.html?d=widevine.video.friday.tw

Code:

Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK	128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK	256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK	256
# TLS 1.1 (suites in server-preferred order)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK	128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK	256
# TLS 1.0 (suites in server-preferred order)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK	128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK

I have found another link https://hussainaliakbar.github.io/restricting-tls-version-and-cipher-suites-in-python-...ith-wireshark/. It explicitly set the cipher suite. For the first try, you may set this supported cipher in your coding. I have not tested it yet, hope it can resolve your issue.

Code:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384

Reference of Openssl supported cipher sites:
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

[CrymanChen]

New information to me. I'll check them.
Really appreciate it @yawoo.

[yawoo]

I find another link that may be useful to you. The latest OS use Openssl v3 that remove unsecure Ciphers by default and cause the connection issue with the server with weak Cipher suite. You may refer his coding example.
https://stackoverflow.com/questions/77262501/how-to-alter-cipher-suite-used-with-python-requests

PS. My Python 3.10.11 (in Windows 10) still use Openssl 1.1.1

[yawoo]

I refer to handshake simulation on OpenSSL client in SSL labs report, and select the cipher AES128-SHA.

Code:

Handshake Simulation
OpenSSL 1.0.1l  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_RSA_WITH_AES_128_CBC_SHA  No FS
OpenSSL 1.0.2s  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_RSA_WITH_AES_128_CBC_SHA  No FS
OpenSSL 1.1.0k  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_RSA_WITH_AES_128_CBC_SHA  No FS
OpenSSL 1.1.1c  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_RSA_WITH_AES_128_CBC_SHA  No FS

Below coding is working in my environment, for your information please.

Code:

...
from requests.packages.urllib3.util.ssl_ import create_urllib3_context

CIPHERS = (
    'AES128-SHA:AES128-SHA256'
)

class TLSAdapter(requests.adapters.HTTPAdapter):
  def init_poolmanager(self, *args, **kwargs):
     ctx = create_urllib3_context(ciphers=CIPHERS)
     kwargs['ssl_context'] = ctx
     return super(TLSAdapter, self).init_poolmanager(*args, **kwargs)


def WV_Function(pssh, lic_url, cert_b64=None):
    wvdecrypt = WvDecrypt(init_data_b64=pssh, cert_data_b64=cert_b64, device=deviceconfig.device_android_generic)
    session = requests.session()
    session.mount('https://', TLSAdapter())
    widevine_license = session.post(url=lic_url, data=wvdecrypt.get_challenge(), headers=headers)
...