Bug#885127: vlc: Cast Chromecast unusable due to gnutls error

Rémi Denis-Courmont remi at remlab.net
Sat Dec 30 09:21:00 UTC 2017

tags 885127 - moireinfo unreproducible

On vendredi 29 décembre 2017 16:48:30 EET Daniel Kahn Gillmor wrote:
> On Tue 2017-12-26 22:24:59 +0100, Floris wrote:
> > I'm not sure this is a VLC bug, although I think it is odd that VLC 3 has
> > a Chromecast feature, but it isn't working. Maybe build vlc without
> > Chromecast support in Debian until Google and/ or GnuTLS has a decent fix
> > for this issue. Or make a workaround.
> Dropping chromecast support in debian doesn't seem like great option to
> me if it's available upstream.  And GnuTLS has at least two different
> fixes available.
> One approach (as noted in my earlier post on this bug report) is to
> explicitly grant that self-signed cert root CA status.  But that's
> generally unpleasant, because it means that cert can MITM any of your
> other connections.
> A better approach to connecting to a persistently-named, self-signed
> chromecast stream would be for VLC to take advantage of GnuTLS's "TOFU"
> (trust on first use) functionality:
>     https://gnutls.org/manual/gnutls.html#Certificate-verification

VLC already supports that feature - if the root CA is unknown and/or the 
hostname does not match the certificate common name, but everything else is 

The whole point of this bug report is that some GnuTLS update broke this 
feature by adding the insecure algorithm error flag on self-signed 
certificates. VLC should not accept MD2 or MD5 certificate chains ever, so it 
fails hard if that flag is set (ditto expired certificate).

And this is trivially reproducible; we already provided multiple ways to do 
that. with either gnutls-bin or VLC.

Rémi Denis-Courmont

More information about the Pkg-gnutls-maint mailing list