Radio streams are not working anymore

[doutor]

Hi.

I noticed this issue either in the Linux version than in the Android one. I listen to a Brazilian radio using a URL which has always been working fine in VLC, but since yesterday it does not anymore. The server is alive because I can listen flawlessly using any browser.

I wasn't able to check the log, but VLC just says it cannot be played.

The stream URL is: https://9554.brasilstream.com.br/stream

Thank you.

[Lotesdelere]

Yes, confirmed, and this is the reason why:

Code: Select all

gnutls error: Certificate verification failure: The certificate is NOT trusted. The certificate chain uses expired certificate. main error: TLS session handshake error

Which is strange since the certificate is valid.

And it's playing fine with FFplay:

Code: Select all

Input #0, aac, from 'https://9554.brasilstream.com.br/stream':0/0 Metadata: icy-br : 32 icy-description : A Sua Radio do Bem icy-genre : Rock, Comedy Show, Esporte icy-name : 98 FM - Belo Horizonte icy-pub : 1 icy-url : http://98live.com.br Duration: N/A, bitrate: 30 kb/s Stream #0:0: Audio: aac (HE-AAC), 44100 Hz, stereo, fltp, 30 kb/s 12.23 M-A: 0.000 fd= 0 aq= 7KB vq= 0KB sq= 0B f=0/0

You should create a new ticket on the VLC Trac with the link to your stream and to this thread.
https://trac.videolan.org/vlc/

[Rémi Denis-Courmont]

It looks to me that the server is sending a certificate that expired yesterday:

% gnutls-cli 9554.brasilstream.com.br
Processed 128 CA certificate(s).
Resolving '9554.brasilstream.com.br:443'...
Connecting to '201.48.123.11:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=*.brasilstream.com.br,OU=EssentialSSL Wildcard,OU=Domain Control Validated', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00e4ce7c83922eea51f655fb555954347c, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-06-16 00:00:00 UTC', expires `2021-06-15 23:59:59 UTC', pin-sha256="OgNwcNo8sA+jKqBttGqwVOfC671azTpfJqsi/1VbuG0="
Public Key ID:
sha1:124700baa641a51eeefef61d41e29d01ae90a64a
sha256:3a037070da3cb00fa32aa06db46ab054e7c2ebbd5acd3a5f26ab22ff555bb86d
Public Key PIN:
pin-sha256:OgNwcNo8sA+jKqBttGqwVOfC671azTpfJqsi/1VbuG0=

- Certificate[1] info:
- subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', pin-sha256="4a6cPehI7OG6cuDZka5NDZ7FR8a60d3auda+sKfg4Ng="
- Certificate[2] info:
- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

In any case, this reproduces with gnutls-cli, so it's not a VLC bug. More like a bug an expired cert in the trust store of your operating system, or a bug in GnuTLS. OpenSSL is having similar issues at the moment, so the latter is likely.

[Rémi Denis-Courmont]

Probably this: https://gitlab.com/gnutls/gnutls/-/issues/1008

But the root cause seems to be the server sending an expired root CA in the certificate chain. They should either not send the root CA, or update it.

[Lotesdelere]

It expires on 15 JUNE 2021 at 23:59:59 GMT, it works fine with other players and also in Firefox, I don't know where this reported info comes from but it's wrong.
The Certificate[0] info is correct, the Certificate[2] info is wrong for this stream, so it doesn't pick the correct one.

EDIT:
Ok, it seems to be a known issue then.

[Rémi Denis-Courmont]

It expires on 15 JUNE 2021 at 23:59:59 GMT,

No. That's the expiration date of the server certificate. The root CA certificate is expired (see emphasis) as of yesterday.

[Rémi Denis-Courmont]

I noticed this issue either in the Linux version than in the Android one. I listen to a Brazilian radio using a URL which has always been working fine in VLC, but since yesterday it does not anymore. The server is alive because I can listen flawlessly using any browser.

I wasn't able to check the log, but VLC just says it cannot be played.

The stream URL is: https://9554.brasilstream.com.br/stream

You should disable the expired root CA from your trust store. On Debian/Ubuntu:

• Run:

  Code: Select all

  $ sudo dpkg-reconfigure ca-certificates
• Select "Ask"
• In the list of certificates, make sure that mozilla/AddTrust_External_Root.crt is deselected.
• Select "Ok"

VLC should now be able to play the radio stream again. However the radio server is really serving an expired certificate, so when all is said and done, this is a server-side configuration error.

[Rémi Denis-Courmont]

Forwarded https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961907

[doutor]

Forwarded https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961907

Thank you.

[armislv]

Bug was in the GnuTLS, so I think statically linked and windows versions of VLC are still broken.
https://gitlab.com/gnutls/gnutls/-/issues/1008

[Rémi Denis-Courmont]

The bug really is in a the server certificate chains. You can work around it either by updating GnuTLS, or the certificates DB, or by manually removing the faulty certificate from the trust DB.

GnuTLS will have to be updated regardless due to an unrelated CVE.

[mario1]

what if we are on windows, same problem?

[Rémi Denis-Courmont]

Same workarounds and solution on Windows. This depends on the server configuration, not the client OS.

[mario1]

But is there something end-user can do to watch stream?
For example
https://wowza.3tcable.hr/Hobi_Kamelija/Hobi_Kamelija.stream/playlist.m3u8
One of Root certificate expired, I contacted them and they have no idea what is the problem and how to solve it.
So, can I as user do something in my VLC to watch it?

Also, it is weird that if you download VLC 4.0 beta, stream is working!?
However, I don't know how to switch back to old desing and where is button to record.
EDIT: Record is not working on vlc-4.0.0-dev-win64-d77d82b4 (no video is saved in My videos)

[Rémi Denis-Courmont]

Again: same workarounds on client side (delete the cert, and eventually update GnuTLS) and same solutions on server side (fix the cert chain).

[Kaimbridge]

Well, as long as security isn’t an issue, a simple workaround is to just change “https” to “http”! P=)

[R2D2]

However the radio server is really serving an expired certificate, so when all is said and done, this is a server-side configuration error.

I get the same error with some radio streams and I have already sent an email to the radio station.

Well, as long as security isn’t an issue, a simple workaround is to just change “https” to “http”! P=)

I thing this is a good workaroung, as long as the server configuration error is not fixed.

[Lotesdelere]

https://forum.videolan.org/viewtopic.php?f=14&t=158294

The issue might have something to do with this:
https://letsencrypt.org/docs/dst-root-c ... mber-2021/
https://www.identrust.com/support/downloads
https://scotthelme.co.uk/lets-encrypt-o ... xpiration/
https://github.com/win-acme/win-acme/issues/1843