The VideoLAN Forums

Posted: **15 Nov 2009 08:34**

Details:
since 1.x.x
only on windows: xp,vista,7 (works fine @ linux)
put the cert @ C:\Users\orbisvicis\AppData\Roaming\vlc\ssl\certs\CA-certificate.pem

Is it a windows thing? Some networking update? Also GnuTLS is waaay outdated (latest is 2.9.9 - vlc uses 2.6.3)

Anyway here is the log:

Code: Select all

main debug: processing request item Tomorrow node Playlist skip 0
main debug: resyncing on Tomorrow
main debug: Tomorrow is at 0
main debug: starting new item
main debug: creating new input thread
main debug: Creating an input for 'Tomorrow'
main debug: thread (input) created at priority 1 (../.././src/input/input.c:230)
qt4 debug: IM: Setting an input
main debug: thread started
main debug: using timeshift granularity of 50 MBytes
main debug: using timeshift path 'C:\Users\orbisvicis\AppData\Local\Temp'
main debug: `https://my.website.net:myport/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg' gives access `https' demux `' path `my.website.net:myport/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg'
main debug: creating demux: access='https' demux='' path='my.website.net:myport/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg'
main debug: looking for access_demux module: 0 candidates
main debug: no access_demux module matched "https"
main debug: TIMER module_need() : 1.000 ms - Total 1.000 ms / 1 intvls (Avg 1.000 ms)
main debug: creating access 'https' path='my.website.net:myport/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg'
main debug: looking for access module: 1 candidate
access_http debug: http: server='my.website.net' port=myport file='/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg
main debug: net: connecting to my.website.net port myport
qt4 debug: Updating the geometry
qt4 debug: Updating the geometry
main debug: connection: Resource temporarily unavailable
main debug: connection succeeded (socket = 912)
main debug: requested server name: my.website.net
main debug: looking for tls client module: 1 candidate
gnutls debug: GnuTLS v2.6.3 initialized
gnutls debug: added x509 credentials (C:\Users\orbisvicis\AppData\Roaming\vlc/ssl/certs\CA-certificate.pem)
gnutls warning: cannot add x509 credentials (C:\ProgramData/ssl/certs/ca-certificates.crt): No such file or directory
main debug: using tls client module "gnutls"
main debug: TIMER module_need() : 5.000 ms - Total 5.000 ms / 1 intvls (Avg 5.000 ms)
gnutls debug: TLS/x509 certificate verified
main debug: TLS client session initialized
access_http debug: protocol 'HTTP' answer code 200
access_http debug: Server: Apache/2.2.8 (Ubuntu) mod_auth_kerb/5.3 DAV/2 mod_fastcgi/2.4.6 mod_gnutls/0.5.5 mod_ldap_userdir/1.1.12-20070601 Line-Edit/1.0.0 SVN/1.6.1 Phusion_Passenger/2.2.2 PHP/5.2.6-2ubuntu4 with Suhosin-Patch proxy_html/3.0.0 mod_wsgi/3.0c1 Python/2.5.2 mod_perl/2.0.3 Perl/v5.8.8
access_http debug: this frame size=8294540
access_http debug: Content-Type: application/ogg
main debug: using access module "access_http"
main debug: TIMER module_need() : 949.000 ms - Total 949.000 ms / 1 intvls (Avg 949.000 ms)
main debug: Using AStream*Stream
main debug: pre buffering
main error: Read error: No error
gnutls debug: GnuTLS deinitialized
main debug: removing module "gnutls"
main error: cannot pre fill buffer
main warning: cannot create a stream_t from access
main debug: removing module "access_http"
main debug: waitpipe: object killed
main debug: thread ended
main debug: dead input
main debug: thread times: real 0m0.954054s, kernel 0m0.093600s, user 0m0.608403s
main debug: changing item without a request (current 0/1)
main debug: nothing to play
qt4 debug: IM: Deleting the input
qt4 debug: Updating the geometry
qt4 debug: Updating the geometry
main debug: TIMER input launching for 'Tomorrow' : 1002.000 ms - Total 1002.000 ms / 1 intvls (Avg 1002.000 ms)

Odd error huh? I've got it one several machines..

Posted: **15 Nov 2009 20:18**

If you know how to use Wireshark, you could compare working and non-working setups to see what is the issue.

Posted: **16 Nov 2009 05:18**

I dumped pcap logs from both windows and linux, which for security I rather not post here.

The windows log was immediately recognized by wireshark as SSL traffic. The linux log seemed like normal (but gobblygook) TCP traffic until I provided the server's private key to decode the stream, after which it became very similar to the windows log:

{{{
an aside: it is not possible that linux-vlc talks via HTTP instead of HTTPS. The apache server cannot serve non-TLS content, and no other media player can decrypt the streams.
So why does wireshark not recognize the linux stream until a key is provided? Is it falsely decrypting the linux TCP stream based on a general SSLtemplate ?
Except I found that text (such as URLs) where correctly decrypted...
}}}

In any case this is what I see:

Linux:

Code: Select all

TLSv1.1 Client Hello
TLSv1.1 Server Hello
TLSv1.1 Certificate
TLSv1.1 Server Key Exchange
TLSv1.1 Server Hello Done
TLSv1.1 Client Key Exchange
TLSv1.1 Change Cipher Spec, Encrypted Handshake Message
TLSv1.1 Change Cipher Spec
TLSv1.1 Encrypted Handshake Message
TLSv1.1 Application Data
TLSv1.1 Application Data, Application Data, Application Data, Application Data
TLSv1.1 Application Data
... (many times repeated)
TLSv1.1 Application Data
TLSv1.1 Continuation Data
TLSv1.1 Encrypted Alert

Windows:

Code: Select all

SSL Client Hello
TLSv1.1 Server Hello
TLSv1.1 Certificate
TLSv1.1 Server Key Exchange
TLSv1.1 Server Hello Done
TLSv1.1 Client Key Exchange
TLSv1.1 Change Cipher Spec, Encrypted Handshake Message
TLSv1.1 Change Cipher Spec
TLSv1.1 Encrypted Handshake Message
TLSv1.1 Application Data
TLSv1.1 Application Data, Application Data, Application Data, Application Data
TLSv1.1 Application Data
TLSv1.1 Encrypted Alert
TLSv1.1 Application Data

**big disclaimer: not really sure what I was doing with wireshark

Posted: **06 Dec 2009 19:20**

VLC tries to negotitate TLS versions 1.1 and 1.0 if available. Unless you're dealing with an old SSLv3-only server, you will only see TLS, not SSL.

Posted: **07 Dec 2009 16:50**

The server uses mod_gnutls 0.5.5:

Code: Select all

    GnuTLSEnable on
    GnuTLSPriorities NONE:+CAMELLIA-256-CBC:+AES-256-CBC:+DHE-RSA:+SHA1:+COMP-NULL:+COMP-DEFLATE:+VERS-TLS1.1:+VERS-SSL3.0
    GnuTLSExportCertificates on

    GnuTLSCertificateFile /x509/tls/nodes/chains/my-server-chain.pem
    GnuTLSKeyFile /x509/tls/nodes/keys/my-server-key.rsa.pem
    GnuTLSDHFile /x509/tls/diffie-hellman/dh2048.pem

Posted: **07 Dec 2009 17:25**

So the behaviour is perfectly normal. I don't see any wrong with your Linux capture.

Posted: **07 Dec 2009 17:34**

I posted the linux capture simply to contrast the windows capture, since vlc-https-on-linux seems to work fine while vlc-https-on-windows does not.

Posted: **07 Dec 2009 19:01**

(both captures are from the same server)

The VideoLAN Forums

gnutls [SSL] streaming broken?

gnutls [SSL] streaming broken?

Re: gnutls [SSL] streaming broken?

Re: gnutls [SSL] streaming broken?

Re: gnutls [SSL] streaming broken?

Re: gnutls [SSL] streaming broken?

Re: gnutls [SSL] streaming broken?

Re: gnutls [SSL] streaming broken?

Re: gnutls [SSL] streaming broken?