Bug#885127: vlc: Cast Chromecast unusable due to gnutls error
Rémi Denis-Courmont
remi at remlab.net
Sat Dec 30 09:21:00 UTC 2017
tags 885127 - moireinfo unreproducible
thanks
On vendredi 29 décembre 2017 16:48:30 EET Daniel Kahn Gillmor wrote:
> On Tue 2017-12-26 22:24:59 +0100, Floris wrote:
> > I'm not sure this is a VLC bug, although I think it is odd that VLC 3 has
> > a Chromecast feature, but it isn't working. Maybe build vlc without
> > Chromecast support in Debian until Google and/ or GnuTLS has a decent fix
> > for this issue. Or make a workaround.
>
> Dropping chromecast support in debian doesn't seem like great option to
> me if it's available upstream. And GnuTLS has at least two different
> fixes available.
>
> One approach (as noted in my earlier post on this bug report) is to
> explicitly grant that self-signed cert root CA status. But that's
> generally unpleasant, because it means that cert can MITM any of your
> other connections.
>
> A better approach to connecting to a persistently-named, self-signed
> chromecast stream would be for VLC to take advantage of GnuTLS's "TOFU"
> (trust on first use) functionality:
>
> https://gnutls.org/manual/gnutls.html#Certificate-verification
VLC already supports that feature - if the root CA is unknown and/or the
hostname does not match the certificate common name, but everything else is
fine.
The whole point of this bug report is that some GnuTLS update broke this
feature by adding the insecure algorithm error flag on self-signed
certificates. VLC should not accept MD2 or MD5 certificate chains ever, so it
fails hard if that flag is set (ditto expired certificate).
And this is trivially reproducible; we already provided multiple ways to do
that. with either gnutls-bin or VLC.
--
Rémi Denis-Courmont
More information about the pkg-multimedia-maintainers
mailing list