makeWebRequest fails on patreon audio content download

I'm getting error 0 when trying to download audio content from patreon servers on device (Fenix 7 Pro). It's working fine in the simulator, but not on device.

I've verified that it is a https url, and there shouldn't be any issues with the certificate, as the artwork (image) download just before succeeds.

The media encoding seems correct (mp3 file), and if I log the download url, it's valid for download on the computer later.

My request options look like this:

		var options = {
			:method => Communications.HTTP_REQUEST_METHOD_GET,
			:responseType => Communications.HTTP_RESPONSE_CONTENT_TYPE_AUDIO,
			:headers => {
				"Content-Type" => Communications.REQUEST_CONTENT_TYPE_URL_ENCODED,
			},
			:mediaEncoding => Utils.mimeToEncoding(episode[Episode.MIME_TYPE]),
			:fileDownloadProgressCallback => method(:onDownloadProgress)
		};

Out of respect for the content creator, I won't post the full content URLs here (but I can provide it to garmin representatives via DM for debugging), but they look like this (with redacted hashes):
The audio url, that fails on device:
https://c10.patreonusercontent.com/4/patreon-media/p/post/108392616/c302f7883bbc448eb2b32aaa3f4d5134/eyJhIjoxLCJwIjoxfQ%3D%3D/1.mp3?token-time=1725235200&token-hash=<hash-redacted>%3D

The image url that succeeds:
https://c10.patreonusercontent.com/4/patreon-media/p/campaign/8278829/b47426688d39440c9af3392914c867df/eyJoIjoxMDgwLCJ3IjoxMDgwfQ%3D%3D/2.png?token-time=2145916800&token-hash=<hash-redacted>%3D

Fetching the audio url from a computer with curl, the headers looks like this:

HTTP/2 200
date: Sun, 25 Aug 2024 09:21:48 GMT
content-type: audio/mpeg
content-length: 81094529
cf-ray: 8b8a83961a5e5f01-ARN
cf-cache-status: HIT
accept-ranges: bytes
access-control-allow-origin: https://www.patreon.com
age: 1946819
cache-control: public, max-age=31536000
content-disposition: attachment; filename="Le Grifon 03; Too Many Stars.mp3"; filename*=utf-8''Le%20Grifon%2003%3B%20Too%20Many%20Stars.mp3
etag: W/4/patreon-media/p/post/108392616/<hash-redacted>%3D%3D/1
expires: Mon, 25 Aug 2025 09:21:48 GMT
vary: Accept-Encoding
access-control-allow-headers: Content-Type, Range, Content-Length
content-security-policy: default-src 'none'; media-src https://c10.patreonusercontent.com
x-powered-by: Express
set-cookie: __cf_bm=<hash-redacted> path=/; expires=Sun, 25-Aug-24 09:51:48 GMT; domain=.patreonusercontent.com; HttpOnly; Secure; SameSite=None
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=<hash-redacted>%2F<hash-redacted>8%<hash-redacted>"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare

Been trying to speculate what might be the cause of the issue. Only theory I have so far is that the URL is very long (211 characters), and that might be the culprit?

Andreas Tarandi

Parents

7564012 1 month ago

The makeImageRequest goes through Garmin servers, so the SSL negotiation will not be handled by the watch. The makeWebRequest on the other hand will be handled by the watch itself. I tested the domain on ssllabs, and it seems to provide an RSA certificate as well (next to an ec256 certificate). Although the Let's Encrypt RSA vs ECDSA issue solved a lot of problems, I also encountered the above error on a domain which has both RSA and EC256 certificates. Below you can find the cipher results from ssllabs from 2 different servers, where one succeeds and one fails:

Test Server 1 ️

# TLS 1.3 (suites in server-preferred order)
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS

Test Server 2

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK


Although all TLS1.2 ciphers from Test 1 are also in test 2, test server 2 still fails. For your server I found the following:

# TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 	256


Which looks a lot like my Test Server 2, but with some additional TLS1.3 ciphers. Maybe the 'only supports RSA' is not the full story here.

I also tested whether RSA certificates still work on Test Server 2 (turn off ecdsa ciphers in about:config > search SSL3 > disable all except RSA). When browsing the url and checking the certificate, it changes to RSA properly.

Comment

7564012 1 month ago

Test Server 1 ️

# TLS 1.3 (suites in server-preferred order)
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS

Test Server 2

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK


Although all TLS1.2 ciphers from Test 1 are also in test 2, test server 2 still fails. For your server I found the following:

# TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256P
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 	256


Which looks a lot like my Test Server 2, but with some additional TLS1.3 ciphers. Maybe the 'only supports RSA' is not the full story here.

I also tested whether RSA certificates still work on Test Server 2 (turn off ecdsa ciphers in about:config > search SSL3 > disable all except RSA). When browsing the url and checking the certificate, it changes to RSA properly.

Children

Andreas Tarandi 1 month ago in reply to 7564012

That's some good investigation. Then it is indeed Garmin's SSL handling that is the issue here as well. Let's hope they can sort it out.
- Cancel
- Up 0 Down
- More
- Cancel