vlc git - linux chromecast TLS issue

[toranq]

I'm running a git build of vlc (4.0.0-dev) with chromecast and 'sout' configured to be enabled. When I try to cast to my Chromecast, I'm getting a TLS error:

Code: Select all

VLC media player 4.0.0-dev Otto Chriek (revision 4.0.0-dev-483-g7610a35ae6) [0000563d72df56a0] dummy interface: using the dummy interface module... [00007f89f8003020] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected. [00007f89f8003020] main tls client error: TLS session handshake error [00007f89f8003020] main tls client error: connection error: Resource temporarily unavailable [00007f89f8000f60] stream_out_chromecast stream out error: cannot load the Chromecast controller (Failed to create client session) [00007f89f8000c40] main stream output error: stream chain failed for `chromecast{ip=192.168.1.9}' [00007f8a04000c40] main input error: cannot start stream output instance, aborting

has anyone found a way around this? chromecast certs seems to be a moving target for client authentication with the cast, so simply adding a cert doesn't seem to be possible to get around this. Thanks

[Jean-Baptiste Kempf]

File a bugreport, please.

[Rémi Denis-Courmont]

"The certificate chain uses insecure algorithm."

Server side error.

[InTheWings]

I have the same issue with chromecast self signed certificates on Fedora.
I thought it was a pkcs11 module issue, but maybe not.

gnutls fails on precheck and for some reason, fails validating the certificate. Including cli version.
OpenSSL is OK. Passes validation in certtools.

for SSL 3.0 (RFC6101) support... no
whether we need to disable TLS 1.2... no
whether we need to disable TLS 1.1... no
whether we need to disable TLS 1.0... no
whether %NO_EXTENSIONS is required... no
whether %COMPAT is required... no
for TLS 1.0 (RFC2246) support... yes
for TLS 1.1 (RFC4346) support... yes
for TLS 1.2 (RFC5246) support... yes
fallback from TLS 1.6 to... TLS1.2
for inappropriate fallback (RFC7507) support... yes
for HTTPS server name... unknown
for certificate chain order... sorted
for safe renegotiation (RFC5746) support... yes
for encrypt-then-MAC (RFC7366) support... no
for ext master secret (RFC7627) support... no
for heartbeat (RFC6520) support... no
for version rollback bug in RSA PMS... dunno
for version rollback bug in Client Hello... no
whether the server ignores the RSA PMS version... no
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
whether the server understands TLS closure alerts... yes
whether the server supports session resumption... yes
for anonymous authentication support... no
for ephemeral Diffie-Hellman support... no
for ephemeral EC Diffie-Hellman support... yes
for curve SECP256r1 (RFC4492)... yes
for curve SECP384r1 (RFC4492)... yes
for curve SECP521r1 (RFC4492)... no
for curve X25519 (draft-ietf-tls-rfc4492bis-07)... yes
for AES-128-GCM cipher (RFC5288) support... yes
for AES-128-CCM cipher (RFC6655) support... no
for AES-128-CCM-8 cipher (RFC6655) support... no
for AES-128-CBC cipher (RFC3268) support... yes
for CAMELLIA-128-GCM cipher (RFC6367) support... no
for CAMELLIA-128-CBC cipher (RFC5932) support... no
for 3DES-CBC cipher (RFC2246) support... yes
for ARCFOUR 128 cipher (RFC2246) support... no
for CHACHA20-POLY1305 cipher (RFC7905) support... yes
for MD5 MAC support... no
for SHA1 MAC support... yes
for SHA256 MAC support... no
for ZLIB compression support... no
for max record size (RFC6066) support... no
for OCSP status response (RFC6066) support... no
for OpenPGP authentication (RFC6091) support... no

gnutls_cli

|<2>| Initializing needed PKCS #11 modules
|<2>| p11: Initializing module: p11-kit-trust
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<3>| ASSERT: pkcs11.c[find_objs_cb]:2848
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_list_import_url3]:3169
Processed 154 CA certificate(s).
Resolving '192.168.0.237:8009'...
Connecting to '192.168.0.237:8009'...
|<2>| system priority /etc/crypto-policies/back-ends/gnutls.config has not changed
|<2>| resolved 'SYSTEM' to 'NONE:+AEAD:+SHA1:+SHA256:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+PSK:+DHE-PSK:+ECDHE-PSK:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW', next ''
|<2>| selected priority string: NONE:+AEAD:+SHA1:+SHA256:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+PSK:+DHE-PSK:+ECDHE-PSK:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW
|<3>| ASSERT: constate.c[_gnutls_epoch_get]:600
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: status_request.c[gnutls_ocsp_status_request_get]:379
- Certificate type: X.509
- Got a certificate list of 1 certificates.
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
- Certificate[0] info:
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
- subject `CN=13acb611-8774-3482-cb4f-17c53e79ae48', issuer `CN=13acb611-8774-3482-cb4f-17c53e79ae48', serial 0x07b146cf, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-26 04:41:43 UTC', expires `2017-12-28 04:41:43 UTC', pin-sha256="WuYYaz+6J1P6JqVtIQwHtq9Pw9D9uRSvUYQWEkiMEGE="
Public Key ID:
sha1:8f2f7237b0095f16a4841f0767c6ede8bf74e593
sha256:5ae6186b3fba2753fa26a56d210c07b6af4fc3d0fdb914af51841612488c1061
Public Key PIN:
pin-sha256:WuYYaz+6J1P6JqVtIQwHtq9Pw9D9uRSvUYQWEkiMEGE=
Public key's random art:
+--[ RSA 2048]----+
| ..o+. |
| . o++ . |
| o = o |
| o o . |
| S. . .|
| . .o+ o.|
| o.*... .E.|
| . *.o... .|
| o o.... |
+-----------------+

|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: status_request.c[gnutls_ocsp_status_request_get]:379
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: verify.c[verify_crt]:604
|<2>| GNUTLS_SEC_PARAM_LOW: certificate's issuer security level is unacceptable
|<3>| ASSERT: verify.c[is_level_acceptable]:429
|<3>| ASSERT: verify.c[verify_crt]:714
|<3>| ASSERT: verify.c[verify_crt]:743
|<3>| ASSERT: verify.c[_gnutls_verify_crt_status]:913
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4177
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4190
|<2>| crt_is_known: did not find any cert
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4177
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_crt_is_known]:4190
|<2>| crt_is_known: did not find any cert
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: x509.c[gnutls_x509_crt_get_authority_key_id]:1418
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<2>| p11: No login requested.
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3812
|<3>| ASSERT: pkcs11.c[find_cert_cb]:3637
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_get_raw_issuer]:3896
|<3>| ASSERT: verify.c[_gnutls_pkcs11_verify_crt_status]:1137
|<3>| ASSERT: verify.c[verify_crt]:604
|<2>| GNUTLS_SEC_PARAM_LOW: certificate's issuer security level is unacceptable
|<3>| ASSERT: verify.c[is_level_acceptable]:429
|<3>| ASSERT: verify.c[verify_crt]:714
|<3>| ASSERT: verify.c[verify_crt]:743
|<3>| ASSERT: verify.c[_gnutls_verify_crt_status]:913
|<3>| ASSERT: verify-high.c[gnutls_x509_trust_list_verify_crt2]:1335
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110
|<3>| ASSERT: x509.c[get_alt_name]:1701
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
|<3>| ASSERT: handshake.c[run_verify_callback]:2766
|<3>| ASSERT: handshake.c[handshake_client]:2877
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

[InTheWings]

CA validation error on self signed when no CA are sent.

[rhazor]

Hello. I get same errors on Windows 10 4.0.0-dev x64 version. Not sure what server-side error is, because I'm not running any servers, just trying to cast to Chromecast from VLC.

My Chromecast works fine via Chrome, Plex and Emby.

If you follow this guide https://www.howtogeek.com/269272/how-to ... hromecast/ it tells that "you’ll see an “Insecure site” prompt. Click “View certificate” to view your Chromecast’s security certificate." but the popup never shows up when clicking Play.

My error log:

gnutls error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected.
main error: TLS session handshake error
main error: connection error: No error
stream_out_chromecast error: cannot load the Chromecast controller (Failed to create client session)
main error: stream chain failed for `chromecast{ip=my_internal_ip,port=8009}'
main error: cannot start stream output instance, aborting

[Rémi Denis-Courmont]

That appears to be a bug in GnuTLS, not VLC.

[rhazor]

So what does it mean? What is GnuTLS, did it get installed together with VLC?

Why all of this has to go through TLS/SSL etc. I'm at home inside within my internal network that is not available remotely, trying to stream VLC to Chromecast through my home Wi-Fi.

[Rémi Denis-Courmont]

Forwarded upstream https://gitlab.com/gnutls/gnutls/issues/347

kthxbye

[rhazor]

Your link is Linux, I'm on Windows 10. Still doesn't answer what it has to do with gnutls on windows and why it's there in first place.

[Rémi Denis-Courmont]

This is a Linux forum anyway but I don't see what is "Linux" about the link.

[toranq]

Forwarded upstream https://gitlab.com/gnutls/gnutls/issues/347

kthxbye

thanks for forwarding the issue upstream. I wondered if it was a gnutls bug when I saw the error to begin with - didn't seem like a VLC problem

[hymced]

Hi all

As of today, with build vlc-4.0.0-20180103-0504-dev-win64 on Windows 10 version 1607, I also have this problem of certificate, while attempting to play a video with the chromecast renderer for the first time, on my Sony KD43XE8096 with built-in Chromecast.

Here is the log:

gnutls error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm. The name in the certificate does not match the expected.
main error: TLS session handshake error
main error: connection error: No error
stream_out_chromecast error: cannot load the Chromecast controller (Failed to create client session)
main error: stream chain failed for `chromecast{ip=192.168.1.27,port=8009}'
main error: cannot start stream output instance, aborting

Messages with verbosity set to 2:
https://pastebin.com/PnicZZcb

If i understand your previous answers, this issue is related to GnuTLS, not VLC directly, so let's hope it will be solved here: https://gitlab.com/gnutls/gnutls/issues/347
and integrated shortly in a next nightly build !!

EDIT: I forgot to mention that Symantec Endpoint Protection prevents me from starting VLC, the .exe ends up in quarantine, and if a get it out of quarantine, I get a warning, and if I say "yes, continue" to the warning, VLC seems not to start correctly and does not show up... but that is not the subject here.

[hymced]

OK, gitlab issue is closed, and solved by another merged issue, and as of now, surely added to last version vlc-4.0.0-20180106-1317 since VLC now shows the certificate prompt! cheers