gnutls [SSL] streaming broken?

Microsoft Windows specific usage questions
Forum rules
Please post only Windows specific questions in this forum category. If you don't know where to post, please read the different forums' rules. Thanks.
orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

gnutls [SSL] streaming broken?

Postby orbisvicis » 15 Nov 2009 08:34

Details:
since 1.x.x
only on windows: xp,vista,7 (works fine @ linux)
put the cert @ C:\Users\orbisvicis\AppData\Roaming\vlc\ssl\certs\CA-certificate.pem

Is it a windows thing? Some networking update? Also GnuTLS is waaay outdated (latest is 2.9.9 - vlc uses 2.6.3)

Anyway here is the log:

Code: Select all

main debug: processing request item Tomorrow node Playlist skip 0 main debug: resyncing on Tomorrow main debug: Tomorrow is at 0 main debug: starting new item main debug: creating new input thread main debug: Creating an input for 'Tomorrow' main debug: thread (input) created at priority 1 (../.././src/input/input.c:230) qt4 debug: IM: Setting an input main debug: thread started main debug: using timeshift granularity of 50 MBytes main debug: using timeshift path 'C:\Users\orbisvicis\AppData\Local\Temp' main debug: `https://my.website.net:myport/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg' gives access `https' demux `' path `my.website.net:myport/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg' main debug: creating demux: access='https' demux='' path='my.website.net:myport/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg' main debug: looking for access_demux module: 0 candidates main debug: no access_demux module matched "https" main debug: TIMER module_need() : 1.000 ms - Total 1.000 ms / 1 intvls (Avg 1.000 ms) main debug: creating access 'https' path='my.website.net:myport/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg' main debug: looking for access module: 1 candidate access_http debug: http: server='my.website.net' port=myport file='/ampache-3.5.1/play/index.php?sid=0f23a357e14415571d7ef74465100316&oid=3054&uid=4&name=/Kemopetrol%20-%20Tomorrow.ogg main debug: net: connecting to my.website.net port myport qt4 debug: Updating the geometry qt4 debug: Updating the geometry main debug: connection: Resource temporarily unavailable main debug: connection succeeded (socket = 912) main debug: requested server name: my.website.net main debug: looking for tls client module: 1 candidate gnutls debug: GnuTLS v2.6.3 initialized gnutls debug: added x509 credentials (C:\Users\orbisvicis\AppData\Roaming\vlc/ssl/certs\CA-certificate.pem) gnutls warning: cannot add x509 credentials (C:\ProgramData/ssl/certs/ca-certificates.crt): No such file or directory main debug: using tls client module "gnutls" main debug: TIMER module_need() : 5.000 ms - Total 5.000 ms / 1 intvls (Avg 5.000 ms) gnutls debug: TLS/x509 certificate verified main debug: TLS client session initialized access_http debug: protocol 'HTTP' answer code 200 access_http debug: Server: Apache/2.2.8 (Ubuntu) mod_auth_kerb/5.3 DAV/2 mod_fastcgi/2.4.6 mod_gnutls/0.5.5 mod_ldap_userdir/1.1.12-20070601 Line-Edit/1.0.0 SVN/1.6.1 Phusion_Passenger/2.2.2 PHP/5.2.6-2ubuntu4 with Suhosin-Patch proxy_html/3.0.0 mod_wsgi/3.0c1 Python/2.5.2 mod_perl/2.0.3 Perl/v5.8.8 access_http debug: this frame size=8294540 access_http debug: Content-Type: application/ogg main debug: using access module "access_http" main debug: TIMER module_need() : 949.000 ms - Total 949.000 ms / 1 intvls (Avg 949.000 ms) main debug: Using AStream*Stream main debug: pre buffering main error: Read error: No error gnutls debug: GnuTLS deinitialized main debug: removing module "gnutls" main error: cannot pre fill buffer main warning: cannot create a stream_t from access main debug: removing module "access_http" main debug: waitpipe: object killed main debug: thread ended main debug: dead input main debug: thread times: real 0m0.954054s, kernel 0m0.093600s, user 0m0.608403s main debug: changing item without a request (current 0/1) main debug: nothing to play qt4 debug: IM: Deleting the input qt4 debug: Updating the geometry qt4 debug: Updating the geometry main debug: TIMER input launching for 'Tomorrow' : 1002.000 ms - Total 1002.000 ms / 1 intvls (Avg 1002.000 ms)
Odd error huh? I've got it one several machines..

VLC_help
Mega Cone Master
Mega Cone Master
Posts: 25661
Joined: 13 Sep 2006 14:16

Re: gnutls [SSL] streaming broken?

Postby VLC_help » 15 Nov 2009 20:18

If you know how to use Wireshark, you could compare working and non-working setups to see what is the issue.

orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

Re: gnutls [SSL] streaming broken?

Postby orbisvicis » 16 Nov 2009 05:18

I dumped pcap logs from both windows and linux, which for security I rather not post here.

The windows log was immediately recognized by wireshark as SSL traffic. The linux log seemed like normal (but gobblygook) TCP traffic until I provided the server's private key to decode the stream, after which it became very similar to the windows log:

{{{
an aside: it is not possible that linux-vlc talks via HTTP instead of HTTPS. The apache server cannot serve non-TLS content, and no other media player can decrypt the streams.
So why does wireshark not recognize the linux stream until a key is provided? Is it falsely decrypting the linux TCP stream based on a general SSLtemplate ?
Except I found that text (such as URLs) where correctly decrypted...
}}}

In any case this is what I see:

Linux:

Code: Select all

TLSv1.1 Client Hello TLSv1.1 Server Hello TLSv1.1 Certificate TLSv1.1 Server Key Exchange TLSv1.1 Server Hello Done TLSv1.1 Client Key Exchange TLSv1.1 Change Cipher Spec, Encrypted Handshake Message TLSv1.1 Change Cipher Spec TLSv1.1 Encrypted Handshake Message TLSv1.1 Application Data TLSv1.1 Application Data, Application Data, Application Data, Application Data TLSv1.1 Application Data ... (many times repeated) TLSv1.1 Application Data TLSv1.1 Continuation Data TLSv1.1 Encrypted Alert
Windows:

Code: Select all

SSL Client Hello TLSv1.1 Server Hello TLSv1.1 Certificate TLSv1.1 Server Key Exchange TLSv1.1 Server Hello Done TLSv1.1 Client Key Exchange TLSv1.1 Change Cipher Spec, Encrypted Handshake Message TLSv1.1 Change Cipher Spec TLSv1.1 Encrypted Handshake Message TLSv1.1 Application Data TLSv1.1 Application Data, Application Data, Application Data, Application Data TLSv1.1 Application Data TLSv1.1 Encrypted Alert TLSv1.1 Application Data
**big disclaimer: not really sure what I was doing with wireshark

Rémi Denis-Courmont
Developer
Developer
Posts: 15267
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: gnutls [SSL] streaming broken?

Postby Rémi Denis-Courmont » 06 Dec 2009 19:20

VLC tries to negotitate TLS versions 1.1 and 1.0 if available. Unless you're dealing with an old SSLv3-only server, you will only see TLS, not SSL.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

Re: gnutls [SSL] streaming broken?

Postby orbisvicis » 07 Dec 2009 16:50

The server uses mod_gnutls 0.5.5:

Code: Select all

GnuTLSEnable on GnuTLSPriorities NONE:+CAMELLIA-256-CBC:+AES-256-CBC:+DHE-RSA:+SHA1:+COMP-NULL:+COMP-DEFLATE:+VERS-TLS1.1:+VERS-SSL3.0 GnuTLSExportCertificates on GnuTLSCertificateFile /x509/tls/nodes/chains/my-server-chain.pem GnuTLSKeyFile /x509/tls/nodes/keys/my-server-key.rsa.pem GnuTLSDHFile /x509/tls/diffie-hellman/dh2048.pem

Rémi Denis-Courmont
Developer
Developer
Posts: 15267
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: gnutls [SSL] streaming broken?

Postby Rémi Denis-Courmont » 07 Dec 2009 17:25

So the behaviour is perfectly normal. I don't see any wrong with your Linux capture.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

Re: gnutls [SSL] streaming broken?

Postby orbisvicis » 07 Dec 2009 17:34

I posted the linux capture simply to contrast the windows capture, since vlc-https-on-linux seems to work fine while vlc-https-on-windows does not.

orbisvicis
Blank Cone
Blank Cone
Posts: 10
Joined: 26 Oct 2008 03:38

Re: gnutls [SSL] streaming broken?

Postby orbisvicis » 07 Dec 2009 19:01

(both captures are from the same server)


Return to “VLC media player for Windows Troubleshooting”

Who is online

Users browsing this forum: No registered users and 48 guests