Page 1 of 1

Radio streams are not working anymore

Posted: 31 May 2020 03:08
by doutor
Hi.

I noticed this issue either in the Linux version than in the Android one. I listen to a Brazilian radio using a URL which has always been working fine in VLC, but since yesterday it does not anymore. The server is alive because I can listen flawlessly using any browser.

I wasn't able to check the log, but VLC just says it cannot be played.

The stream URL is: https://9554.brasilstream.com.br/stream

Thank you.

Re: Radio streams are not working anymore

Posted: 31 May 2020 08:28
by Lotesdelere
Yes, confirmed, and this is the reason why:

Code: Select all

gnutls error: Certificate verification failure: The certificate is NOT trusted. The certificate chain uses expired certificate. main error: TLS session handshake error

Which is strange since the certificate is valid.

And it's playing fine with FFplay:

Code: Select all

Input #0, aac, from 'https://9554.brasilstream.com.br/stream':0/0 Metadata: icy-br : 32 icy-description : A Sua Radio do Bem icy-genre : Rock, Comedy Show, Esporte icy-name : 98 FM - Belo Horizonte icy-pub : 1 icy-url : http://98live.com.br Duration: N/A, bitrate: 30 kb/s Stream #0:0: Audio: aac (HE-AAC), 44100 Hz, stereo, fltp, 30 kb/s 12.23 M-A: 0.000 fd= 0 aq= 7KB vq= 0KB sq= 0B f=0/0

You should create a new ticket on the VLC Trac with the link to your stream and to this thread.
https://trac.videolan.org/vlc/

Re: Radio streams are not working anymore

Posted: 31 May 2020 09:34
by Rémi Denis-Courmont
It looks to me that the server is sending a certificate that expired yesterday:
% gnutls-cli 9554.brasilstream.com.br
Processed 128 CA certificate(s).
Resolving '9554.brasilstream.com.br:443'...
Connecting to '201.48.123.11:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=*.brasilstream.com.br,OU=EssentialSSL Wildcard,OU=Domain Control Validated', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00e4ce7c83922eea51f655fb555954347c, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-06-16 00:00:00 UTC', expires `2021-06-15 23:59:59 UTC', pin-sha256="OgNwcNo8sA+jKqBttGqwVOfC671azTpfJqsi/1VbuG0="
Public Key ID:
sha1:124700baa641a51eeefef61d41e29d01ae90a64a
sha256:3a037070da3cb00fa32aa06db46ab054e7c2ebbd5acd3a5f26ab22ff555bb86d
Public Key PIN:
pin-sha256:OgNwcNo8sA+jKqBttGqwVOfC671azTpfJqsi/1VbuG0=

- Certificate[1] info:
- subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', pin-sha256="4a6cPehI7OG6cuDZka5NDZ7FR8a60d3auda+sKfg4Ng="
- Certificate[2] info:
- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
In any case, this reproduces with gnutls-cli, so it's not a VLC bug. More like a bug an expired cert in the trust store of your operating system, or a bug in GnuTLS. OpenSSL is having similar issues at the moment, so the latter is likely.

Re: Radio streams are not working anymore

Posted: 31 May 2020 09:40
by Rémi Denis-Courmont
Probably this: https://gitlab.com/gnutls/gnutls/-/issues/1008

But the root cause seems to be the server sending an expired root CA in the certificate chain. They should either not send the root CA, or update it.

Re: Radio streams are not working anymore

Posted: 31 May 2020 09:41
by Lotesdelere
It expires on 15 JUNE 2021 at 23:59:59 GMT, it works fine with other players and also in Firefox, I don't know where this reported info comes from but it's wrong.
The Certificate[0] info is correct, the Certificate[2] info is wrong for this stream, so it doesn't pick the correct one.

EDIT:
Ok, it seems to be a known issue then.

Re: Radio streams are not working anymore

Posted: 31 May 2020 10:09
by Rémi Denis-Courmont
It expires on 15 JUNE 2021 at 23:59:59 GMT,
No. That's the expiration date of the server certificate. The root CA certificate is expired (see emphasis) as of yesterday.

Re: Radio streams are not working anymore

Posted: 31 May 2020 10:34
by Rémi Denis-Courmont
I noticed this issue either in the Linux version than in the Android one. I listen to a Brazilian radio using a URL which has always been working fine in VLC, but since yesterday it does not anymore. The server is alive because I can listen flawlessly using any browser.

I wasn't able to check the log, but VLC just says it cannot be played.

The stream URL is: https://9554.brasilstream.com.br/stream
You should disable the expired root CA from your trust store. On Debian/Ubuntu:
  • Run:

    Code: Select all

    $ sudo dpkg-reconfigure ca-certificates
  • Select "Ask"
  • In the list of certificates, make sure that mozilla/AddTrust_External_Root.crt is deselected.
  • Select "Ok"
VLC should now be able to play the radio stream again. However the radio server is really serving an expired certificate, so when all is said and done, this is a server-side configuration error.

Re: Radio streams are not working anymore

Posted: 31 May 2020 11:07
by Rémi Denis-Courmont
Forwarded https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961907

Re: Radio streams are not working anymore

Posted: 02 Jun 2020 00:58
by doutor
Forwarded https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961907
Thank you.

Re: Radio streams are not working anymore

Posted: 08 Jun 2020 16:57
by armislv
Bug was in the GnuTLS, so I think statically linked and windows versions of VLC are still broken.
https://gitlab.com/gnutls/gnutls/-/issues/1008

Re: Radio streams are not working anymore

Posted: 08 Jun 2020 17:14
by Rémi Denis-Courmont
The bug really is in a the server certificate chains. You can work around it either by updating GnuTLS, or the certificates DB, or by manually removing the faulty certificate from the trust DB.

GnuTLS will have to be updated regardless due to an unrelated CVE.

Re: Radio streams are not working anymore

Posted: 11 Jun 2020 13:04
by mario1
what if we are on windows, same problem?

Re: Radio streams are not working anymore

Posted: 11 Jun 2020 17:05
by Rémi Denis-Courmont
Same workarounds and solution on Windows. This depends on the server configuration, not the client OS.

Re: Radio streams are not working anymore

Posted: 13 Jun 2020 20:14
by mario1
But is there something end-user can do to watch stream?
For example
https://wowza.3tcable.hr/Hobi_Kamelija/Hobi_Kamelija.stream/playlist.m3u8
One of Root certificate expired, I contacted them and they have no idea what is the problem and how to solve it.
So, can I as user do something in my VLC to watch it?

Also, it is weird that if you download VLC 4.0 beta, stream is working!?
However, I don't know how to switch back to old desing and where is button to record.
EDIT: Record is not working on vlc-4.0.0-dev-win64-d77d82b4 (no video is saved in My videos)

Re: Radio streams are not working anymore

Posted: 14 Jun 2020 20:25
by Rémi Denis-Courmont
Again: same workarounds on client side (delete the cert, and eventually update GnuTLS) and same solutions on server side (fix the cert chain).

Re: Radio streams are not working anymore

Posted: 31 Aug 2020 19:47
by Kaimbridge
Well, as long as security isn’t an issue, a simple workaround is to just change “https” to “http”! P=)

Re: Radio streams are not working anymore

Posted: 03 Oct 2021 11:22
by R2D2
However the radio server is really serving an expired certificate, so when all is said and done, this is a server-side configuration error.
I get the same error with some radio streams and I have already sent an email to the radio station. :roll:
Well, as long as security isn’t an issue, a simple workaround is to just change “https” to “http”! P=)
I thing this is a good workaroung, as long as the server configuration error is not fixed. :D

Re: Radio streams are not working anymore

Posted: 03 Oct 2021 12:39
by Lotesdelere