Page 1 of 1

vlc 1.1.0 gnutls problem

Posted: 01 Jul 2010 12:49
by thiloj
G'day

I have an ssl server with certs and set it all up properly (no cert is expired!)
With vlc < 1.1.0 It all worked!

Since 1.1.0 I get:

gnutls debug: GnuTLS v2.8.6 initialized
gnutls warning: cannot add x509 credentials (C:\Documents and Settings\All Users\Application Data/ssl/certs/ca-certificates.crt): No error
main debug: using tls client module "gnutls"
main debug: TIMER module_need() : 11.000 ms - Total 11.000 ms / 1 intvls (Avg 11.000 ms)
qt4 debug: IM: Setting an input
gnutls error: TLS session: access denied
gnutls error: Certificate could not be verified
gnutls error: Certificate's signer was not found
main error: TLS client session handshake error
gnutls debug: GnuTLS deinitialized

I verified with a cygwin gnutls-cli that the certfiles and connections still work
the gnutls debug gives the following server profile (if something has changed in the supported ciphers/proto's... )

Any help is appreciated
thilo
gnutls-cli-debug.exe -p 443 maggi
Resolving 'maggi'...
Connecting to '192.168.0.9:443'...
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... TLS 1.0
Checking for TLS 1.0 support... yes
Checking for SSL 3.0 support... yes
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether we need to disable TLS 1.0... N/A
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... no
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... no
Checking for export-grade ciphersuite support... yes
Checking RSA-export ciphersuite info... N/A
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... yes
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... yes
Checking for CAMELLIA cipher support (TLS extension)... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for LZO compression support (GnuTLS extension)... no
Checking for max record size (TLS extension)... no
Checking for SRP authentication support (TLS extension)... yes
Checking for OpenPGP authentication support (TLS extension)... no

Re: vlc 1.1.0 gnutls problem

Posted: 01 Jul 2010 17:55
by Jean-Baptiste Kempf
GnuTLS is likely broken in Win32 version of VLC.
I am not sure I have much time and incentive to fix it soon.

Re: vlc 1.1.0 gnutls problem

Posted: 03 Jul 2010 12:27
by thiloj
Are there any major changes from 1.0x to 1.1 in that area?
I do have some spare cycles, so I wouldn't mind having a look there.

Are there any changes between release and head that would affect gnutls?
(I would prefer to use the release branch, but if anyone advises against.... )

Can you tell me where the "No error" message comes from?
If I read the code correct:
--modules/misc/gnutls.c:605--
int res = b_priv
? gnutls_certificate_set_x509_key_mem (cred, &data, &data,
GNUTLS_X509_FMT_PEM)
: gnutls_certificate_set_x509_trust_mem (cred, &data,
GNUTLS_X509_FMT_PEM);
block_Release (block);

if (res < 0)
{
msg_Warn (p_this, "cannot add x509 credentials (%s): %s",
psz_path, gnutls_strerror (res));
return VLC_EGENERIC;
}
====

gnutls_strerror should return "No Error" but the tls-2.8.6 sources have absolutly no such message,
If it doesn't understand the error-# it returns "unknown error".
Who prints "No error" ?


Apologies if I'm using the wrong forum here, please let me know where I should ask this otherwise.


== gnutls-2.8.6/lib/gnutls_errors.c:330 ==
gnutls_strerror (int error)
{
const char *ret = NULL;
const gnutls_error_entry *p;

for (p = error_algorithms; p->desc != NULL; p++)
{
if (p->number == error)
{
ret = p->desc;
break;
}
}

/* avoid prefix */
if (ret == NULL)
return _("(unknown error code)");

return _(ret);
}

cheers thilo

Re: vlc 1.1.0 gnutls problem

Posted: 17 Oct 2010 22:27
by eins78
I've encountered the same problem in VLC 1.1.3 for Mac (also with the nightly build). However, there is an easy fix, which worked for me.
VLC is looking for an ca-certificates.crt in an …/ssl/certs folder in its Preferences folder. In OS X, you see all your Certificated in "Keychain Acces". Select all, export to something.cert, rename to ca-certificates.crt and move to ~/Library/Preferences/org.videolan.vlc/ssl/certs/.
I don't know how to do that in windows, but you can always grab this file with the common root-certs (like the ones in Firefox) from any Ubuntu (or other Linux) from /etc/ssl/certs.