Bug#885127: vlc: Cast Chromecast unusable due to gnutls error
jkfloris at dds.nl
Sat Dec 30 00:06:27 UTC 2017
Op Fri, 29 Dec 2017 22:48:30 +0100 schreef Daniel Kahn Gillmor
<dkg at debian.org>:
> On Tue 2017-12-26 22:24:59 +0100, Floris wrote:
>> I'm not sure this is a VLC bug, although I think it is odd that VLC 3
>> a Chromecast feature, but it isn't working. Maybe build vlc without
>> Chromecast support in Debian until Google and/ or GnuTLS has a decent
>> for this issue. Or make a workaround.
> Dropping chromecast support in debian doesn't seem like great option to
> me if it's available upstream. And GnuTLS has at least two different
> fixes available.
> One approach (as noted in my earlier post on this bug report) is to
> explicitly grant that self-signed cert root CA status. But that's
> generally unpleasant, because it means that cert can MITM any of your
> other connections.
> A better approach to connecting to a persistently-named, self-signed
> chromecast stream would be for VLC to take advantage of GnuTLS's "TOFU"
> (trust on first use) functionality:
> or, if we already know that chromecast is never a strongly-secured
> connection, we could just disable authentication on chromecast
> connections (i do not have a chromecast, and i do not know what security
> posture chromecast users expect from their connections).
I think a lot of end users expect the "it just works" method. When you
cast something from Chrome/ Chromium to the Chromecast there isn't a
warning about a certificate. In addition, the certificate issued by the
chromecast is only valid for 2 days. Does it mean that you get a new
warning every two days? So I tend more to the last option.
Processed 149 CA certificate(s).
Connecting to '192.168.1.14:8009'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate info:
- subject `CN=c036e8e6-dce8-c593-4624-e743f8eb7f04', issuer
`CN=c036e8e6-dce8-c593-4624-e743f8eb7f04', serial 0x07b58554, RSA key 2048
bits, signed using RSA-SHA256, activated `2017-12-29 09:57:32 UTC',
expires `2017-12-31 09:57:32 UTC',
Public Key ID:
Public Key PIN:
Public key's random art:
+--[ RSA 2048]----+
| o.So |
| +o.o.ooo |
| .+o. EB+ .|
| oo..o+o+.o |
| .o +=*+o..|
- Status: The certificate is NOT trusted. The certificate issuer is
unknown. The certificate chain uses insecure algorithm. The name in the
certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
More information about the Pkg-gnutls-maint