As more private data migrates online, services that handle this data have to consider enabling stronger security protocols. Therefore, Sonos requires that you implement the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) security requirements listed below in your SMAPI implementation.
Sonos players are embedded systems with limited memory and a small number of Certificate Authority (CA) certificates preinstalled. If you don’t use one of the pre-installed CA certificates, we also verify certificates remotely by querying a list of CAs on our own hosted service. However, occasionally this may be less reliable than using embedded certificates.
To avoid interruption of your service, we recommend that you use a certificate from one of the CAs listed below. If you have to use one from a CA that is not on the list, please coordinate with us by emailing us at email@example.com. Since we would have to support the certificate on an embedded device, it may take some time for us to make a change available to all Sonos users. Therefore we ask that you give us as much advance notice as you can so that we can work with you to ensure continuity of service.
In order to be listed on the Sonos Audio Platform, your music service must:
- Implement HTTPS to protect the SecureURI endpoint in the SMAPI Service Configuration (see Test your service for an example). Use of HTTPS for serving content is supported, but optional.
Note that your content could be compromised and stolen if you choose to allow HTTP access to your SMAPI SOAP service. To secure your content, be sure to test that calls such as
getMediaURIdo not work over HTTP.
- HTTPS endpoints must support Transport Layer Security (TLS) 1.2.
- Support at least one of the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1 elliptic curve)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1 elliptic curve)
- Have a valid X.509 certificate for the DNS name. See the Common Reasons for SSL Handshake Failures section below for details.
- Not use an SSL/TLS implementation exposed to any known vulnerabilities, for example, Heartbleed or CRIME.
In upcoming releases, we plan to drop support for TLS 1.0 and TLS 1.1, following the industry best practices.
We store certificates for the following Certificate Authorities (CAs) locally on our players and controllers. If you aren’t using one of them, please let us know by emailing us at firstname.lastname@example.org. Additionally, if you are switching your commercial Certificate Authority to one that is not on the list, we recommend that you let us know in advance of the switch to ensure a smooth transition.
The current Certificate Authority certificates trusted by Sonos products are listed below by common name, except where indicated. This list may change with future Sonos software updates.
- AddTrust External CA Root
- Baltimore CyberTrust Root
- DigiCert Global Root CA
- DigiCert Global Root G2
- DigiCert High Assurance EV Root CA
- DST Root CA X3
- GeoTrust Global CA
- GlobalSign Root CA
- GlobalSign RootCA – R2 *
- Go Daddy Root Certificate Authority – G2
- SecureTrust CA
* organization and/or organizational unit
What happens if your certificate fails in production?
If your certificate isn’t configured properly or has expired, your service will fail on Sonos. Users will not be able to browse your service on Sonos. Some common reasons for SSL handshake failures include:
- Expired certificate: Every certificate has a validity window before it expires. You need to present Sonos with unexpired certificates.
- DNS name mismatch: Your certificate must match the DNS name used in the Sonos service catalog. If the URL in the Sonos service catalog is https://stremingservice.example.com/svc then your certificate must have a subjectAltName or a Common Name matching streamingservice.example.com. Any mismatches will cause an outage. For example, this may occur if you introduce a Content Delivery Network (CDN) into your setup as this may affect the DNS names and certificates involved.
- Missing intermediate CA cert: Most certificate authorities do not issue individual server certificates directly from their root CA certificate. They often use an intermediate CA certificate. Usually, the chain looks like this:
Root CA certificate -> intermediate CA certificate -> your service’s SSL server certificate.
In these cases, you must configure your SSL server to send Sonos the intermediate CA certificate as well as your SSL server certificate. Without this, Sonos will not be able to validate the full chain and the validation may fail.
Go on to Error handling.