Security

As more private data migrates online, services that handle this data have to consider enabling stronger security protocols. Therefore, Sonos requires that you implement the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) security requirements listed below in your SMAPI implementation.


Security requirements

In order to be listed on the Sonos Audio Platform, your music service must:

  • Implement HTTPS to protect the SecureURI endpoint in the SMAPI Service Configuration (see Test your service for an example). Use of HTTPS for serving content is recommended. Note that your content could be compromised and stolen if you choose to allow HTTP access to your SMAPI SOAP service. To secure your content, be sure to test that calls such as getMediaURI do not work over HTTP.
  • HTTPS endpoints must support Transport Layer Security (TLS) 1.2.
  • S1 version: support at least one of the following cipher suites. For cipher suites using elliptic curves, support the secp256r1 curve.
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • S2 version: support at least one of the following cipher suites. For cipher suites using elliptic curves, support the secp256r1 or the secp384r1 curve.
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • Have a valid X.509 certificate for the DNS name. See the What happens in your certificate fails in production section below for details.
  • Do not use an SSL/TLS implementation exposed to any known vulnerabilities, for example, Heartbleed or CRIME.

Future requirements

❗️

Removing player support to cipher suites

On May 21, 2024, in order to comply with regulatory requirements, Sonos will remove player support for the following cipher suites:

  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384

What happens if your certificate fails in production?

If your certificate isn’t configured properly or has expired, your service will fail on Sonos. Users will not be able to browse your service on Sonos. Some common reasons for SSL handshake failures include:

  • Expired certificate: Every certificate has a validity window before it expires. You need to present Sonos with unexpired certificates.
  • DNS name mismatch: Your certificate must match the DNS name used in the Sonos service catalog. If the URL in the Sonos service catalog is https://stremingservice.example.com/svc, then your certificate must have a subjectAltName or a Common Name matching streamingservice.example.com. Any mismatches will cause an outage. For example, this may occur if you introduce a Content Delivery Network (CDN) into your setup as this may affect the DNS names and certificates involved.
  • Missing intermediate CA cert: Most certificate authorities do not issue individual server certificates directly from their root CA certificate. They often use an intermediate CA certificate. Usually, the chain looks like this: Root CA certificate -> Intermediate CA certificate -> Your service’s SSL server certificate. In these cases, you must configure your SSL server to send Sonos the intermediate CA certificate as well as your SSL server certificate. Without this, Sonos will not be able to validate the full chain and the validation may fail.

What’s Next