[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Feedback from JRES in Dijon
From: |
Bengt Richter |
Subject: |
Re: Feedback from JRES in Dijon |
Date: |
Sun, 8 Dec 2019 15:09:23 -0800 |
User-agent: |
Mutt/1.12.2 (2019-09-21) |
Hi Tim, Konrad,
On +2019-12-07 23:11:19 -0500, Timothy Sample wrote:
> Hi Bengt,
>
> I omitted a lot of your message, but I hope I have the easy explanation
> you’re looking for. :)
>
> Bengt Richter <address@hidden> writes:
>
> > On +2019-12-07 11:35:02 -0500, Timothy Sample wrote:
> >>
> >> [...]
> >>
> >> Unfortunately, I got certificate errors, but VLC lets you temporarily
> >> ignore those.
> >
> > [...]
> >
> > Anyone see an easy explanation?
>
> After a little more digging, it seems that the certificate sent for
> “ccwebcast.in2p3.fr” is signed with an intermediate certificate from
> “TERENA”. This is in turn signed with a DigiCert root certificate.
> Unfortunately it looks like “ccwebcast.in2p3.fr” doesn’t send the whole
> certificate chain, and the TERENA cert is not part of our “nss-certs”
> package, so tools using certs from that package (basically everything on
> a normal Guix install) will be unwilling to trust “ccwebcast.in2p3.fr”.
> IceCat is okay with it, but it uses its own certificates (it must know
> about the TERENA cert, so it doesn’t need the whole chain).
>
> Fortunately, for exceptional situations like this, you can tell most
> tools to skip certificate validation (like I mentioned with VLC). For
> youtube-dl, you can use the “--no-check-certificate” option. Note
> however that this is rather dangerous in general, since you are telling
> youtube-dl allow anyone to pretend to be anyone else! In this case,
> since it’s just a video and IceCat is okay with the certificate it’s
> probably fine. Just be careful. :)
>
>
> -- Tim
Thank you very much for digging and providing the dangerous solution :)
(I suppressed my paranoia this once, and it did work BTW :)
BTW2, I have icecat installed, so I wonder if, given that it "uses its own
certificates"
(and knows about TEREMA) is there a cert-PATH that could be extended so other
apps see icecat's cert info in addition to their own?
BTW3, Konrad,
That was a nice presentation -- are the tools you used to prepare it and
present it
available as libre packages? (I'm not insisting you answer ;-)
--
Regards,
Bengt Richter
- Feedback from JRES in Dijon, Julien Lepiller, 2019/12/05
- Re: Feedback from JRES in Dijon, Pierre Neidhardt, 2019/12/05
- Re: Feedback from JRES in Dijon, Julien Lepiller, 2019/12/05
- Re: Feedback from JRES in Dijon, Konrad Hinsen, 2019/12/05
- Re: Feedback from JRES in Dijon, zimoun, 2019/12/05
- Re: Feedback from JRES in Dijon, Bengt Richter, 2019/12/06
- Re: Feedback from JRES in Dijon, Konrad Hinsen, 2019/12/06
- Re: Feedback from JRES in Dijon, Timothy Sample, 2019/12/07
- Re: Feedback from JRES in Dijon, Bengt Richter, 2019/12/07
- Re: Feedback from JRES in Dijon, Timothy Sample, 2019/12/07
- Re: Feedback from JRES in Dijon,
Bengt Richter <=
- Re: Feedback from JRES in Dijon, Konrad Hinsen, 2019/12/09
- Re: Feedback from JRES in Dijon, Konrad Hinsen, 2019/12/06
- Re: Feedback from JRES in Dijon, Ludovic Courtès, 2019/12/10
- Re: Feedback from JRES in Dijon, Konrad Hinsen, 2019/12/11
- Re: Feedback from JRES in Dijon, zimoun, 2019/12/05
Re: Feedback from JRES in Dijon, Julien Lepiller, 2019/12/05
Re: Feedback from JRES in Dijon, zimoun, 2019/12/05
Re: Feedback from JRES in Dijon, Ludovic Courtès, 2019/12/10