vlc 1.1.0 gnutls problem

For questions and discussion that is NOT (I repeat NOT) specific to a certain Operating System.
thiloj
New Cone
New Cone
Posts: 2
Joined: 01 Jul 2010 12:37

vlc 1.1.0 gnutls problem

Postby thiloj » 01 Jul 2010 12:49

G'day

I have an ssl server with certs and set it all up properly (no cert is expired!)
With vlc < 1.1.0 It all worked!

Since 1.1.0 I get:

gnutls debug: GnuTLS v2.8.6 initialized
gnutls warning: cannot add x509 credentials (C:\Documents and Settings\All Users\Application Data/ssl/certs/ca-certificates.crt): No error
main debug: using tls client module "gnutls"
main debug: TIMER module_need() : 11.000 ms - Total 11.000 ms / 1 intvls (Avg 11.000 ms)
qt4 debug: IM: Setting an input
gnutls error: TLS session: access denied
gnutls error: Certificate could not be verified
gnutls error: Certificate's signer was not found
main error: TLS client session handshake error
gnutls debug: GnuTLS deinitialized

I verified with a cygwin gnutls-cli that the certfiles and connections still work
the gnutls debug gives the following server profile (if something has changed in the supported ciphers/proto's... )

Any help is appreciated
thilo
gnutls-cli-debug.exe -p 443 maggi
Resolving 'maggi'...
Connecting to '192.168.0.9:443'...
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... TLS 1.0
Checking for TLS 1.0 support... yes
Checking for SSL 3.0 support... yes
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether we need to disable TLS 1.0... N/A
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... no
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... no
Checking for export-grade ciphersuite support... yes
Checking RSA-export ciphersuite info... N/A
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... yes
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... yes
Checking for CAMELLIA cipher support (TLS extension)... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for LZO compression support (GnuTLS extension)... no
Checking for max record size (TLS extension)... no
Checking for SRP authentication support (TLS extension)... yes
Checking for OpenPGP authentication support (TLS extension)... no

Jean-Baptiste Kempf
Site Administrator
Site Administrator
Posts: 37523
Joined: 22 Jul 2005 15:29
VLC version: 4.0.0-git
Operating System: Linux, Windows, Mac
Location: Cone, France
Contact:

Re: vlc 1.1.0 gnutls problem

Postby Jean-Baptiste Kempf » 01 Jul 2010 17:55

GnuTLS is likely broken in Win32 version of VLC.
I am not sure I have much time and incentive to fix it soon.
Jean-Baptiste Kempf
http://www.jbkempf.com/ - http://www.jbkempf.com/blog/category/Videolan
VLC media player developer, VideoLAN President and Sites administrator
If you want an answer to your question, just be specific and precise. Don't use Private Messages.

thiloj
New Cone
New Cone
Posts: 2
Joined: 01 Jul 2010 12:37

Re: vlc 1.1.0 gnutls problem

Postby thiloj » 03 Jul 2010 12:27

Are there any major changes from 1.0x to 1.1 in that area?
I do have some spare cycles, so I wouldn't mind having a look there.

Are there any changes between release and head that would affect gnutls?
(I would prefer to use the release branch, but if anyone advises against.... )

Can you tell me where the "No error" message comes from?
If I read the code correct:
--modules/misc/gnutls.c:605--
int res = b_priv
? gnutls_certificate_set_x509_key_mem (cred, &data, &data,
GNUTLS_X509_FMT_PEM)
: gnutls_certificate_set_x509_trust_mem (cred, &data,
GNUTLS_X509_FMT_PEM);
block_Release (block);

if (res < 0)
{
msg_Warn (p_this, "cannot add x509 credentials (%s): %s",
psz_path, gnutls_strerror (res));
return VLC_EGENERIC;
}
====

gnutls_strerror should return "No Error" but the tls-2.8.6 sources have absolutly no such message,
If it doesn't understand the error-# it returns "unknown error".
Who prints "No error" ?


Apologies if I'm using the wrong forum here, please let me know where I should ask this otherwise.


== gnutls-2.8.6/lib/gnutls_errors.c:330 ==
gnutls_strerror (int error)
{
const char *ret = NULL;
const gnutls_error_entry *p;

for (p = error_algorithms; p->desc != NULL; p++)
{
if (p->number == error)
{
ret = p->desc;
break;
}
}

/* avoid prefix */
if (ret == NULL)
return _("(unknown error code)");

return _(ret);
}

cheers thilo

eins78
New Cone
New Cone
Posts: 1
Joined: 17 Oct 2010 22:17

Re: vlc 1.1.0 gnutls problem

Postby eins78 » 17 Oct 2010 22:27

I've encountered the same problem in VLC 1.1.3 for Mac (also with the nightly build). However, there is an easy fix, which worked for me.
VLC is looking for an ca-certificates.crt in an …/ssl/certs folder in its Preferences folder. In OS X, you see all your Certificated in "Keychain Acces". Select all, export to something.cert, rename to ca-certificates.crt and move to ~/Library/Preferences/org.videolan.vlc/ssl/certs/.
I don't know how to do that in windows, but you can always grab this file with the common root-certs (like the ones in Firefox) from any Ubuntu (or other Linux) from /etc/ssl/certs.


Return to “General VLC media player Troubleshooting”

Who is online

Users browsing this forum: LaMorte and 15 guests