vlc https/ssl/tls options: 0.9.x? planned?

For questions and discussion that is NOT (I repeat NOT) specific to a certain Operating System.
orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

vlc https/ssl/tls options: 0.9.x? planned?

Postby orbisvicis » 15 Nov 2008 08:29

These two features are very important and were present in vlc 0.8:

disable host root authority checks
-important when people prefer creating personal/private x509 infrastructures. Also important for all the many self-signed websites.

disable certificate validation checks
-lots of websites use invalid certificates, including my school. Most often are expired certificates. When certificates expire users would still like to access multimedia on these websites.

More detail at this post
viewtopic.php?f=12&t=51774

Can we expect these options to be eventually re-implemented?

Rémi Denis-Courmont
Developer
Developer
Posts: 15267
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: vlc https/ssl/tls options: 0.9.x? planned?

Postby Rémi Denis-Courmont » 24 Nov 2008 22:19

The security model of TLS is such that it's basically useless overhead if you don't check certificates. You might as well not use TLS.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

Re: vlc https/ssl/tls options: 0.9.x? planned?

Postby orbisvicis » 25 Nov 2008 09:23

I wouldnt call it 'useless overhead' because tls will nonetheless encrypt the stream.

Unfortunately clients have no control over external servers equiping invalid/self-signed certificates. A server using tls atm will be inaccessible to vlc.

In order to keep the security model of tls intact, vlc could implement capabilities similar to firefox:
-certificate manager: ability to add self-signed certs per FQDNs. This augments the default selection of root/accepted certificates shipped with the openssl package
-ability to ignore certificate errors (i.e. invalid) per FQDN

Edit: In any case, as of now it would be simpler and faster to re-impliment the missing 0.8.x https/ssl/tls features as a stop-gap measure

Rémi Denis-Courmont
Developer
Developer
Posts: 15267
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: vlc https/ssl/tls options: 0.9.x? planned?

Postby Rémi Denis-Courmont » 25 Nov 2008 17:50

Yeah, it encrypts the stream. So? The session key is sent by the client to the server using its public key. If you don't check the certificate, you don't know who you're encrypting to. Pointless.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

Re: vlc https/ssl/tls options: 0.9.x? planned?

Postby orbisvicis » 25 Nov 2008 19:05

Like I said, to keep the security model of an x509 infrastructure intact, implement a security manager similar to the one in firefox.
Then manually associate (certificates you want allowed) to (domain names).

Of course, public keys can be spoofed. Thats why the security manager should only make exceptions for root certificates and not public keys.

In any case, what about the stop-gap measure I mentioned. If a user is willing to negotiated the advanced vlc preferences, then they should be willing to accept the risks.

Rémi Denis-Courmont
Developer
Developer
Posts: 15267
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: vlc https/ssl/tls options: 0.9.x? planned?

Postby Rémi Denis-Courmont » 25 Nov 2008 19:37

Firefox 3 ensures great pain before users can "violate" x509 security.

VLC does not have proper UI for certificate bypass, let alone a certificate manager. This woule be a huge effort for a very uncommon use case (streaming from HTTP/SSL is not very common anyway).

You can always install custom Root CAs to %vlcuserdatadir%/ssl/certs
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

Re: vlc https/ssl/tls options: 0.9.x? planned?

Postby orbisvicis » 25 Nov 2008 20:27

That's why re-implementing 0.8's https/ssl/tls features would be the easiest and fastest compromise. At the very least vlc should expose the tls interface.

This is good to know:
You can always install custom Root CAs to %vlcuserdatadir%/ssl/certs
But what about invalid certificates?

Rémi Denis-Courmont
Developer
Developer
Posts: 15267
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: vlc https/ssl/tls options: 0.9.x? planned?

Postby Rémi Denis-Courmont » 25 Nov 2008 21:45

Invalid certificates are invalid are invalid.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded


Return to “General VLC media player Troubleshooting”

Who is online

Users browsing this forum: No registered users and 32 guests