Op Fri, 29 Dec 2017 22:48:30 +0100 schreef Daniel Kahn Gillmor
<d...@debian.org>:
On Tue 2017-12-26 22:24:59 +0100, Floris wrote:
I'm not sure this is a VLC bug, although I think it is odd that VLC 3
has
a Chromecast feature, but it isn't working. Maybe build vlc without
Chromecast support in Debian until Google and/ or GnuTLS has a decent
fix
for this issue. Or make a workaround.
Dropping chromecast support in debian doesn't seem like great option to
me if it's available upstream. And GnuTLS has at least two different
fixes available.
One approach (as noted in my earlier post on this bug report) is to
explicitly grant that self-signed cert root CA status. But that's
generally unpleasant, because it means that cert can MITM any of your
other connections.
A better approach to connecting to a persistently-named, self-signed
chromecast stream would be for VLC to take advantage of GnuTLS's "TOFU"
(trust on first use) functionality:
https://gnutls.org/manual/gnutls.html#Certificate-verification
or, if we already know that chromecast is never a strongly-secured
connection, we could just disable authentication on chromecast
connections (i do not have a chromecast, and i do not know what security
posture chromecast users expect from their connections).
hth,
--dkg
I think a lot of end users expect the "it just works" method. When you
cast something from Chrome/ Chromium to the Chromecast there isn't a
warning about a certificate. In addition, the certificate issued by the
chromecast is only valid for 2 days. Does it mean that you get a new
warning every two days? So I tend more to the last option.
gnutls-cli 192.168.1.14:8009
Processed 149 CA certificate(s).
Resolving '192.168.1.14:8009'...
Connecting to '192.168.1.14:8009'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `CN=c036e8e6-dce8-c593-4624-e743f8eb7f04', issuer
`CN=c036e8e6-dce8-c593-4624-e743f8eb7f04', serial 0x07b58554, RSA key 2048
bits, signed using RSA-SHA256, activated `2017-12-29 09:57:32 UTC',
expires `2017-12-31 09:57:32 UTC',
pin-sha256="lqW7HJ396wf5w02vBO0Oyu3Os05S7OKUunht17mBwQE="
Public Key ID:
sha1:6b30af9317dcec5b8f16671aff24ccfa8af38bd4
sha256:96a5bb1c9dfdeb07f9c34daf04ed0ecaedceb34e52ece294ba786dd7b981c101
Public Key PIN:
pin-sha256:lqW7HJ396wf5w02vBO0Oyu3Os05S7OKUunht17mBwQE=
Public key's random art:
+--[ RSA 2048]----+
| |
| |
| |
| |
| o.So |
| +o.o.ooo |
| .+o. EB+ .|
| oo..o+o+.o |
| .o +=*+o..|
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is
unknown. The certificate chain uses insecure algorithm. The name in the
certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
