Bug#885127: vlc: Cast Chromecast unusable due to gnutls error

Floris jkfloris at dds.nl
Sat Dec 30 00:06:27 UTC 2017 

Op Fri, 29 Dec 2017 22:48:30 +0100 schreef Daniel Kahn Gillmor  
<dkg at debian.org>:

> On Tue 2017-12-26 22:24:59 +0100, Floris wrote:
>> I'm not sure this is a VLC bug, although I think it is odd that VLC 3  
>> has
>> a Chromecast feature, but it isn't working. Maybe build vlc without
>> Chromecast support in Debian until Google and/ or GnuTLS has a decent  
>> fix
>> for this issue. Or make a workaround.
>
> Dropping chromecast support in debian doesn't seem like great option to
> me if it's available upstream.  And GnuTLS has at least two different
> fixes available.
>
> One approach (as noted in my earlier post on this bug report) is to
> explicitly grant that self-signed cert root CA status.  But that's
> generally unpleasant, because it means that cert can MITM any of your
> other connections.
>
> A better approach to connecting to a persistently-named, self-signed
> chromecast stream would be for VLC to take advantage of GnuTLS's "TOFU"
> (trust on first use) functionality:
>
>     https://gnutls.org/manual/gnutls.html#Certificate-verification
>
> or, if we already know that chromecast is never a strongly-secured
> connection, we could just disable authentication on chromecast
> connections (i do not have a chromecast, and i do not know what security
> posture chromecast users expect from their connections).
>
> hth,
>
>         --dkg


I think a lot of end users expect the "it just works" method. When you  
cast something from Chrome/ Chromium to the Chromecast there isn't a  
warning about a certificate. In addition, the certificate issued by the  
chromecast is only valid for 2 days. Does it mean that you get a new  
warning every two days? So I tend more to the last option.

gnutls-cli 192.168.1.14:8009
Processed 149 CA certificate(s).
Resolving '192.168.1.14:8009'...
Connecting to '192.168.1.14:8009'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
  - subject `CN=c036e8e6-dce8-c593-4624-e743f8eb7f04', issuer  
`CN=c036e8e6-dce8-c593-4624-e743f8eb7f04', serial 0x07b58554, RSA key 2048  
bits, signed using RSA-SHA256, activated `2017-12-29 09:57:32 UTC',  
expires `2017-12-31 09:57:32 UTC',  
pin-sha256="lqW7HJ396wf5w02vBO0Oyu3Os05S7OKUunht17mBwQE="
	Public Key ID:
		sha1:6b30af9317dcec5b8f16671aff24ccfa8af38bd4
		sha256:96a5bb1c9dfdeb07f9c34daf04ed0ecaedceb34e52ece294ba786dd7b981c101
	Public Key PIN:
		pin-sha256:lqW7HJ396wf5w02vBO0Oyu3Os05S7OKUunht17mBwQE=
	Public key's random art:
		+--[ RSA 2048]----+
		|                 |
		|                 |
		|                 |
		|                 |
		|      o.So       |
		|       +o.o.ooo  |
		|       .+o. EB+ .|
		|      oo..o+o+.o |
		|      .o  +=*+o..|
		+-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is  
unknown. The certificate chain uses insecure algorithm. The name in the  
certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

More information about the Pkg-gnutls-maint mailing list