vlc git - linux chromecast TLS issue

*nix specific usage questions
toranq
New Cone
New Cone
Posts: 2
Joined: 24 Dec 2017 00:59

vlc git - linux chromecast TLS issue

Postby toranq » 24 Dec 2017 01:03

I'm running a git build of vlc (4.0.0-dev) with chromecast and 'sout' configured to be enabled. When I try to cast to my Chromecast, I'm getting a TLS error:

Code: Select all

VLC media player 4.0.0-dev Otto Chriek (revision 4.0.0-dev-483-g7610a35ae6) [0000563d72df56a0] dummy interface: using the dummy interface module... [00007f89f8003020] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected. [00007f89f8003020] main tls client error: TLS session handshake error [00007f89f8003020] main tls client error: connection error: Resource temporarily unavailable [00007f89f8000f60] stream_out_chromecast stream out error: cannot load the Chromecast controller (Failed to create client session) [00007f89f8000c40] main stream output error: stream chain failed for `chromecast{ip=192.168.1.9}' [00007f8a04000c40] main input error: cannot start stream output instance, aborting
has anyone found a way around this? chromecast certs seems to be a moving target for client authentication with the cast, so simply adding a cert doesn't seem to be possible to get around this. Thanks

Jean-Baptiste Kempf
Site Administrator
Site Administrator
Posts: 37523
Joined: 22 Jul 2005 15:29
VLC version: 4.0.0-git
Operating System: Linux, Windows, Mac
Location: Cone, France
Contact:

Re: vlc git - linux chromecast TLS issue

Postby Jean-Baptiste Kempf » 26 Dec 2017 14:13

File a bugreport, please.
Jean-Baptiste Kempf
http://www.jbkempf.com/ - http://www.jbkempf.com/blog/category/Videolan
VLC media player developer, VideoLAN President and Sites administrator
If you want an answer to your question, just be specific and precise. Don't use Private Messages.

Rémi Denis-Courmont
Developer
Developer
Posts: 15266
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: vlc git - linux chromecast TLS issue

Postby Rémi Denis-Courmont » 26 Dec 2017 15:59

"The certificate chain uses insecure algorithm."

Server side error.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

User avatar
InTheWings
Developer
Developer
Posts: 1275
Joined: 07 Aug 2013 13:15
VLC version: crashing
Operating System: Linux
Contact:

Re: vlc git - linux chromecast TLS issue

Postby InTheWings » 26 Dec 2017 17:47

I have the same issue with chromecast self signed certificates on Fedora.
I thought it was a pkcs11 module issue, but maybe not.

gnutls fails on precheck and for some reason, fails validating the certificate. Including cli version.
OpenSSL is OK. Passes validation in certtools.
for SSL 3.0 (RFC6101) support... no
whether we need to disable TLS 1.2... no
whether we need to disable TLS 1.1... no
whether we need to disable TLS 1.0... no
whether %NO_EXTENSIONS is required... no
whether %COMPAT is required... no
for TLS 1.0 (RFC2246) support... yes
for TLS 1.1 (RFC4346) support... yes
for TLS 1.2 (RFC5246) support... yes
fallback from TLS 1.6 to... TLS1.2
for inappropriate fallback (RFC7507) support... yes
for HTTPS server name... unknown
for certificate chain order... sorted
for safe renegotiation (RFC5746) support... yes
for encrypt-then-MAC (RFC7366) support... no
for ext master secret (RFC7627) support... no
for heartbeat (RFC6520) support... no
for version rollback bug in RSA PMS... dunno
for version rollback bug in Client Hello... no
whether the server ignores the RSA PMS version... no
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
whether the server understands TLS closure alerts... yes
whether the server supports session resumption... yes
for anonymous authentication support... no
for ephemeral Diffie-Hellman support... no
for ephemeral EC Diffie-Hellman support... yes
for curve SECP256r1 (RFC4492)... yes
for curve SECP384r1 (RFC4492)... yes
for curve SECP521r1 (RFC4492)... no
for curve X25519 (draft-ietf-tls-rfc4492bis-07)... yes
for AES-128-GCM cipher (RFC5288) support... yes
for AES-128-CCM cipher (RFC6655) support... no
for AES-128-CCM-8 cipher (RFC6655) support... no
for AES-128-CBC cipher (RFC3268) support... yes
for CAMELLIA-128-GCM cipher (RFC6367) support... no
for CAMELLIA-128-CBC cipher (RFC5932) support... no
for 3DES-CBC cipher (RFC2246) support... yes
for ARCFOUR 128 cipher (RFC2246) support... no
for CHACHA20-POLY1305 cipher (RFC7905) support... yes
for MD5 MAC support... no
for SHA1 MAC support... yes
for SHA256 MAC support... no
for ZLIB compression support... no
for max record size (RFC6066) support... no
for OCSP status response (RFC6066) support... no
for OpenPGP authentication (RFC6091) support... no
gnutls_cli
|<2>| Initializing needed PKCS #11 modules
|<2>| p11: Initializing module: p11-kit-trust
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<3>| ASSERT: pkcs11.c[find_objs_cb]:2848
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_list_import_url3]:3169
Processed 154 CA certificate(s).
Resolving '192.168.0.237:8009'...
Connecting to '192.168.0.237:8009'...
|<2>| system priority /etc/crypto-policies/back-ends/gnutls.config has not changed
|<2>| resolved 'SYSTEM' to 'NONE:+AEAD:+SHA1:+SHA256:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+PSK:+DHE-PSK:+ECDHE-PSK:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW', next ''
|<2>| selected priority string: NONE:+AEAD:+SHA1:+SHA256:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+PSK:+DHE-PSK:+ECDHE-PSK:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW
|<3>| ASSERT: constate.c[_gnutls_epoch_get]:600
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: status_request.c[gnutls_ocsp_status_request_get]:379
- Certificate type: X.509
- Got a certificate list of 1 certificates.
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
- Certificate[0] info:
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
- subject `CN=13acb611-8774-3482-cb4f-17c53e79ae48', issuer `CN=13acb611-8774-3482-cb4f-17c53e79ae48', serial 0x07b146cf, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-26 04:41:43 UTC', expires `2017-12-28 04:41:43 UTC', pin-sha256="WuYYaz+6J1P6JqVtIQwHtq9Pw9D9uRSvUYQWEkiMEGE="
Public Key ID:
sha1:8f2f7237b0095f16a4841f0767c6ede8bf74e593
sha256:5ae6186b3fba2753fa26a56d210c07b6af4fc3d0fdb914af51841612488c1061
Public Key PIN:
pin-sha256:WuYYaz+6J1P6JqVtIQwHtq9Pw9D9uRSvUYQWEkiMEGE=
Public key's random art:
+--[ RSA 2048]----+
| ..o+. |
| . o++ . |
| o = o |
| o o . |
| S. . .|
| . .o+ o.|
| o.*... .E.|
| . *.o... .|
| o o.... |
+-----------------+

|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: status_request.c[gnutls_ocsp_status_request_get]:379
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: verify.c[verify_crt]:604
|<2>| GNUTLS_SEC_PARAM_LOW: certificate's issuer security level is unacceptable
|<3>| ASSERT: verify.c[is_level_acceptable]:429
|<3>| ASSERT: verify.c[verify_crt]:714
|<3>| ASSERT: verify.c[verify_crt]:743
|<3>| ASSERT: verify.c[_gnutls_verify_crt_status]:913
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4177
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4190
|<2>| crt_is_known: did not find any cert
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4177
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4190
|<2>| crt_is_known: did not find any cert
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: x509.c[gnutls_x509_crt_get_authority_key_id]:1418
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_get_raw_issuer]:3896
|<3>| ASSERT: verify.c[_gnutls_pkcs11_verify_crt_status]:1137
|<3>| ASSERT: verify.c[verify_crt]:604
|<2>| GNUTLS_SEC_PARAM_LOW: certificate's issuer security level is unacceptable
|<3>| ASSERT: verify.c[is_level_acceptable]:429
|<3>| ASSERT: verify.c[verify_crt]:714
|<3>| ASSERT: verify.c[verify_crt]:743
|<3>| ASSERT: verify.c[_gnutls_verify_crt_status]:913
|<3>| ASSERT: verify-high.c[gnutls_x509_trust_list_verify_crt2]:1335
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110
|<3>| ASSERT: x509.c[get_alt_name]:1701
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
|<3>| ASSERT: handshake.c[run_verify_callback]:2766
|<3>| ASSERT: handshake.c[handshake_client]:2877
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
:!: If you want your problem to be solved :
* First read troubleshooting guide VSG:Main
* Always provide verbose LOGS ! (command line or from gui)
* Always check your issue against a developer build from Nightly Build of VLC
* Tell us when your problem is solved !

User avatar
InTheWings
Developer
Developer
Posts: 1275
Joined: 07 Aug 2013 13:15
VLC version: crashing
Operating System: Linux
Contact:

Re: vlc git - linux chromecast TLS issue

Postby InTheWings » 26 Dec 2017 18:33

CA validation error on self signed when no CA are sent.
:!: If you want your problem to be solved :
* First read troubleshooting guide VSG:Main
* Always provide verbose LOGS ! (command line or from gui)
* Always check your issue against a developer build from Nightly Build of VLC
* Tell us when your problem is solved !

rhazor
New Cone
New Cone
Posts: 6
Joined: 29 Jun 2017 14:24

Re: vlc git - linux chromecast TLS issue

Postby rhazor » 28 Dec 2017 20:17

Hello. I get same errors on Windows 10 4.0.0-dev x64 version. Not sure what server-side error is, because I'm not running any servers, just trying to cast to Chromecast from VLC.

My Chromecast works fine via Chrome, Plex and Emby.

If you follow this guide https://www.howtogeek.com/269272/how-to ... hromecast/ it tells that "you’ll see an “Insecure site” prompt. Click “View certificate” to view your Chromecast’s security certificate." but the popup never shows up when clicking Play.

My error log:
gnutls error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected.
main error: TLS session handshake error
main error: connection error: No error
stream_out_chromecast error: cannot load the Chromecast controller (Failed to create client session)
main error: stream chain failed for `chromecast{ip=my_internal_ip,port=8009}'
main error: cannot start stream output instance, aborting

Rémi Denis-Courmont
Developer
Developer
Posts: 15266
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: vlc git - linux chromecast TLS issue

Postby Rémi Denis-Courmont » 29 Dec 2017 13:41

That appears to be a bug in GnuTLS, not VLC.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

rhazor
New Cone
New Cone
Posts: 6
Joined: 29 Jun 2017 14:24

Re: vlc git - linux chromecast TLS issue

Postby rhazor » 29 Dec 2017 14:20

So what does it mean? What is GnuTLS, did it get installed together with VLC?

Why all of this has to go through TLS/SSL etc. I'm at home inside within my internal network that is not available remotely, trying to stream VLC to Chromecast through my home Wi-Fi.

Rémi Denis-Courmont
Developer
Developer
Posts: 15266
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: vlc git - linux chromecast TLS issue

Postby Rémi Denis-Courmont » 29 Dec 2017 18:02

Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

rhazor
New Cone
New Cone
Posts: 6
Joined: 29 Jun 2017 14:24

Re: vlc git - linux chromecast TLS issue

Postby rhazor » 29 Dec 2017 21:31

Your link is Linux, I'm on Windows 10. Still doesn't answer what it has to do with gnutls on windows and why it's there in first place.

Rémi Denis-Courmont
Developer
Developer
Posts: 15266
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: vlc git - linux chromecast TLS issue

Postby Rémi Denis-Courmont » 30 Dec 2017 10:14

This is a Linux forum anyway but I don't see what is "Linux" about the link.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

toranq
New Cone
New Cone
Posts: 2
Joined: 24 Dec 2017 00:59

Re: vlc git - linux chromecast TLS issue

Postby toranq » 31 Dec 2017 05:09

Forwarded upstream https://gitlab.com/gnutls/gnutls/issues/347

kthxbye
thanks for forwarding the issue upstream. I wondered if it was a gnutls bug when I saw the error to begin with - didn't seem like a VLC problem

hymced
New Cone
New Cone
Posts: 3
Joined: 03 Jan 2018 11:17

Re: vlc git - linux chromecast TLS issue

Postby hymced » 03 Jan 2018 11:27

Hi all

As of today, with build vlc-4.0.0-20180103-0504-dev-win64 on Windows 10 version 1607, I also have this problem of certificate, while attempting to play a video with the chromecast renderer for the first time, on my Sony KD43XE8096 with built-in Chromecast.

Here is the log:
gnutls error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected.
main error: TLS session handshake error
main error: connection error: No error
stream_out_chromecast error: cannot load the Chromecast controller (Failed to create client session)
main error: stream chain failed for `chromecast{ip=192.168.1.27,port=8009}'
main error: cannot start stream output instance, aborting

Messages with verbosity set to 2:
https://pastebin.com/PnicZZcb

If i understand your previous answers, this issue is related to GnuTLS, not VLC directly, so let's hope it will be solved here: https://gitlab.com/gnutls/gnutls/issues/347
and integrated shortly in a next nightly build !! :)

EDIT: I forgot to mention that Symantec Endpoint Protection prevents me from starting VLC, the .exe ends up in quarantine, and if a get it out of quarantine, I get a warning, and if I say "yes, continue" to the warning, VLC seems not to start correctly and does not show up... but that is not the subject here.

hymced
New Cone
New Cone
Posts: 3
Joined: 03 Jan 2018 11:17

Re: vlc git - linux chromecast TLS issue

Postby hymced » 07 Jan 2018 21:36

OK, gitlab issue is closed, and solved by another merged issue, and as of now, surely added to last version vlc-4.0.0-20180106-1317 since VLC now shows the certificate prompt! cheers ;)


Return to “VLC media player for Linux and friends Troubleshooting”

Who is online

Users browsing this forum: No registered users and 14 guests