An error has occurred with Pandora. [Try Again] - Internal Pandora error

[ljcatlin]

I've not used the app since last Friday and starting today when I try to launch it I get the error message above. I've tried reinstalling, but that doesn't correct the issue.

[jbone1210]

I have the same issue and have tried reinstalling as well.

Did Pandora shut it down?

[jeffpasch]

same here.

[charleshimmer]

Used it everyday and then on Wednesday it just stopped working. It feels like maybe Pandora somehow blocked it.

[RocketGS]

Just downloaded this app and I'm getting this same issue. Bummer!

[inieves]

Im getting the same issue.

i have contacts over at Pandora... should I contact them?

Log attached:

HermesAppDelegate.m:195 -[HermesAppDelegate applicationDidFinishLaunching:] Starting in debug mode. Log file: /Users/inieves/Library/Logs/Hermes/HermesLog_2018-08-1012:49:11-0400.log Pandora.m:290 -[Pandora doPartnerLogin:] Getting partner ID... Pandora.m:823 -[Pandora sendRequest:] https://tuner.pandora.com/services/json/?method=auth.partnerLogin&partner_id=&auth_token=&user_id= Pandora.m:823 -[Pandora sendRequest:] https://tuner.pandora.com/services/json/?method=auth.userLogin&partner_id=42&auth_token=VADEjNzUq9Ew9%2BIlY%2BmhA%2BN08yGZjtcuma&user_id= Pandora.m:270 -[Pandora doUserLogin:password:callback:]_block_invoke Subscriber status: 1 Pandora.m:275 -[Pandora doUserLogin:password:callback:]_block_invoke Subscriber detected, re-logging-in... Pandora.m:290 -[Pandora doPartnerLogin:] Getting partner ID... Pandora.m:823 -[Pandora sendRequest:] https://internal-tuner.pandora.com/services/json/?method=auth.partnerLogin&partner_id=&auth_token=&user_id= HermesAppDelegate.m:713 -[HermesAppDelegate handlePandoraError:] error received { error = "The operation couldn\U2019t be completed. (OSStatus error -9807.)"; request = "<PandoraRequest 0x60400029e410 auth.partnerLogin>"; }

[RGerboth]

Looks like maybe Pandora locked Hermes out. Same issue on brand-new install.

[ryanbeymer]

I was poking around.... looks like their wildcard cert is busted.

• go to https://tuner.pandora.com/ - invalid cert
• go to https://internal-tuner.pandora.com/ - invalid cert

[nobecutan]

There was a thread the other day regarding this issue. Basically Apple and Chrome and others effectively killed a bunch of CAs owned by Symantec.

As a workaround you have to manually trust the specific TLS certificate and all is gay again.

BR Christof

Am 11.08.2018 um 01:06 schrieb Ryan Beymer notifications@github.com:

I was poking around.... looks like their wildcard cert is busted.

go to https://tuner.pandora.com/ - invalid cert go to https://internal-tuner.pandora.com/ - invalid cert — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[nobecutan]

The related issue plus a step by step instruction is #337.

Am 11.08.2018 um 01:06 schrieb Ryan Beymer notifications@github.com:

I was poking around.... looks like their wildcard cert is busted.

go to https://tuner.pandora.com/ - invalid cert go to https://internal-tuner.pandora.com/ - invalid cert — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ryanbeymer]

Yep walked through it, works for me. Thx @nobecutan https://github.com/HermesApp/Hermes/issues/337#issuecomment-410788166

[inieves]

Also worked for me, thanks! Does this need to become part of usage instructions or some FAQ? Or a popup? Thanks @nobecutan #337 (comment)

[charleshimmer]

Worked for me! Thanks @nobecutan!

[ZevEisenberg]

How wise is it to manually trust certs that have been marked as untrusted by Apple and Google? Can we trust them only for pandora.com URLs?

[nriley]

Someone could potentially embedded the individual cert (or the now-no-longer-trusted CA) to the trusted certs in Hermes itself.

But really this is Pandora's problem to fix.

On Mon, Aug 13, 2018 at 11:02:29AM -0700, Zev Eisenberg wrote:

How wise is it to manually trust certs that have been marked as untrusted by Apple and Google? Can we trust them only for pandora.com URLs?

[DanielStormApps]

Created a PR if anyone would like to help test #341

[ghost]

sounds like a change in the auth pattern

[nriley]

I can just turn things off completely (30497ade27adc0894e2034eb572904866d63148e) which does work, but want to do a better job. SecureTransport has defeated me today with its inscrutable documentation. If anyone can help with pinning the cert or CA, that'd be awesome.

[foliovision]

In the meantime, what makes Hermes work with no fussing around with certificates is to open the normal Pandora app (2.0.10 on my computer) and pause it. If you have Hermes open it will start to work once Pandora's native app starts working once. You must leave the Pandora app open and paused though.

I prefer Hermes not only for the efficient interface but for the LastFM scrobbling. Last.FM has been kind of a favourites list of last resort for awhile when listening across Deezer, Tidal, Pandora, Soma FM and any other service I try. Thanks to Soundiiz (annual subscription for full feature set, free one off migrations), it's possible to convert and amalgamate favourite track, artist and album listings across services with relatively minimal hassle (you have to be a bit of a geek to get along with Soundiiz still).

This works even when running Pandora over a site specific VPN for Hermes. My guide for the site specific VPN, still works, I had to re-use the guide myself today as I've been listening to a lot of SomaFM (West Coast 70's and Lush are awesome free channels, donated there too though). With Clementine app (GPL) you get an easy to use and fast to start interface for digital channels (outside the browser), along with Last.fm scrobbling. I mention Clementine as many of those who admire Hermes like I do might like Clementine too.

[nriley]

More digging this weekend — I found a post that suggests SSLSetCertificate can be used to replace/add a root cert, but this isn't working (and it really looks like it's more designed for client certificate-based authentication). I still get "CFNetwork SSLHandshake failed (-9807)".

Another option (which I'm pretty sure would work) is replacing cert validation via kSSLSessionOptionBreakOnServerAuth but I don't think I can intercept the SSLHandshake because it's called from the guts of CFNetwork:

* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  * frame #0: 0x00007fff5237d266 Security`SSLHandshake
    frame #1: 0x00007fff45894c20 CFNetwork`SocketStream::_PerformSecurityHandshake_NoLock() + 732
    frame #2: 0x00007fff458943fe CFNetwork`SocketStream::socketCallback(__CFSocket*, unsigned long, __CFData const*, void const*) + 272
    frame #3: 0x00007fff458942b2 CFNetwork`SocketStream::_SocketCallBack_stream(__CFSocket*, unsigned long, __CFData const*, void const*, void*) + 70
    frame #4: 0x00007fff469de54c CoreFoundation`__CFSocketPerformV0 + 1080
    frame #5: 0x00007fff46942405 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #6: 0x00007fff469423ab CoreFoundation`__CFRunLoopDoSource0 + 108
    frame #7: 0x00007fff46925e51 CoreFoundation`__CFRunLoopDoSources0 + 195
    frame #8: 0x00007fff469253fa CoreFoundation`__CFRunLoopRun + 1219
    frame #9: 0x00007fff46924ce4 CoreFoundation`CFRunLoopRunSpecific + 463
    frame #10: 0x00007fff45bbe895 HIToolbox`RunCurrentEventLoopInMode + 293
    frame #11: 0x00007fff45bbe5cb HIToolbox`ReceiveNextEventCommon + 618
    frame #12: 0x00007fff45bbe348 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 64
    frame #13: 0x00007fff43e7b8df AppKit`_DPSNextEvent + 997
    frame #14: 0x00007fff43e7a67e AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1362
    frame #15: 0x00007fff43e746e1 AppKit`-[NSApplication run] + 699
    frame #16: 0x00007fff43e63e1b AppKit`NSApplicationMain + 780
    frame #17: 0x0000000100005c22 Hermes`main(argc=3, argv=0x00007ffeefbff4b8) at main.m:9
    frame #18: 0x00007fff738fa0a1 libdyld.dylib`start + 1
    frame #19: 0x00007fff738fa0a1 libdyld.dylib`start + 1

The most appropriate solution seems to be to migrate URLConnection to wrap NSURLSession rather than CFHTTP (which is deprecated). Another option would be to use SSLRead/SSLWrite but that seems like the wrong way to go.

[sandinak]

imported the cert as noted in #337 and still getting internal error. After doing some digging I found it's failing because the intermediate is also marked as not trusted. I imported the cert and intermediate from internal-tuner.pandora.com, I marked it as trusted temporarily and that resolved the issue; however not happy with having to do that. I know it's pandora's issue .. but meh .. it's dirty.

[nriley]

As I mentioned the only Hermes-side fix for this (aside from Pandora fixing things) is to rewrite Hermes' non-streaming networking such that we can intercept and override certificate validation. I'm working on it slowly and will get my WIP onto a branch this weekend, but I can't devote more than 2-3 hours a week to it given other responsibilities, and I suspect it'll be more like 6-10 hours of work to do because I've never used NSURLSession before.

On Wed, Sep 05, 2018 at 02:17:36PM +0000, Branson Matheson wrote:

imported the cert as noted in #337 and still getting internal error.

[inieves]

If you have any tough questions let me know. I can forward to colleagues who are former apple engineers. They would be able to answer questions in that domain.

-ian

On Sep 5, 2018, at 10:39 AM, Nicholas Riley notifications@github.com wrote:

Might be the intermediate cert.

https://github.com/HermesApp/Hermes/issues/340

As I mentioned in #340 the only Hermes-side for this (aside from Pandora fixing things) is to rewrite Hermes' non-streaming networking such that we can intercept and override certificate validation. I'm working on it slowly and will get my WIP onto a branch this weekend, but I can't devote more than 2-3 hours a week to it given other responsibilities, and I suspect it'll be more like 6-10 hours of work to do because I've never used NSURLSession before.

On Wed, Sep 05, 2018 at 02:17:36PM +0000, Branson Matheson wrote:

imported the cert as noted in #337 and still getting internal error.

-- --Nicholas — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/HermesApp/Hermes/issues/340#issuecomment-418755579, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoDeqSdGFDjLlIVugtoHhFG6xEaGB2Zks5uX-IJgaJpZM4V0bfS.

[haozhang96]

imported the cert as noted in #337 and still getting internal error. After doing some digging I found it's failing because the intermediate is also marked as not trusted. I imported the cert and intermediate from internal-tuner.pandora.com, I marked it as trusted temporarily and that resolved the issue; however not happy with having to do that. I know it's pandora's issue .. but meh .. it's dirty.

This did it for me. Thanks!

[tomlogic]

I was able to do it by importing and trusting just the cert from https://internal-tuner.pandora.com/ which I had not realized was a different cert from https://tuner.pandora.com/ (which I had previously imported). They're both wildcard certs, but with different expiration times.

[andrewrphillips]

@tomlogic This did it for me!

[nriley]

Merging this with #337 as it's the same issue.