[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Feedback from JRES in Dijon

From: Bengt Richter
Subject: Re: Feedback from JRES in Dijon
Date: Sun, 8 Dec 2019 15:09:23 -0800
User-agent: Mutt/1.12.2 (2019-09-21)

Hi Tim, Konrad,

On +2019-12-07 23:11:19 -0500, Timothy Sample wrote:
> Hi Bengt,
> I omitted a lot of your message, but I hope I have the easy explanation
> you’re looking for.  :)
> Bengt Richter <address@hidden> writes:
> > On +2019-12-07 11:35:02 -0500, Timothy Sample wrote:
> >> 
> >> [...]
> >> 
> >> Unfortunately, I got certificate errors, but VLC lets you temporarily
> >> ignore those.
> >
> > [...]
> >
> > Anyone see an easy explanation?
> After a little more digging, it seems that the certificate sent for
> “” is signed with an intermediate certificate from
> “TERENA”.  This is in turn signed with a DigiCert root certificate.
> Unfortunately it looks like “” doesn’t send the whole
> certificate chain, and the TERENA cert is not part of our “nss-certs”
> package, so tools using certs from that package (basically everything on
> a normal Guix install) will be unwilling to trust “”.
> IceCat is okay with it, but it uses its own certificates (it must know
> about the TERENA cert, so it doesn’t need the whole chain).
> Fortunately, for exceptional situations like this, you can tell most
> tools to skip certificate validation (like I mentioned with VLC).  For
> youtube-dl, you can use the “--no-check-certificate” option.  Note
> however that this is rather dangerous in general, since you are telling
> youtube-dl allow anyone to pretend to be anyone else!  In this case,
> since it’s just a video and IceCat is okay with the certificate it’s
> probably fine.  Just be careful.  :)
> -- Tim

Thank you very much for digging and providing the dangerous solution :)
(I suppressed my paranoia this once, and it did work BTW :)

BTW2, I have icecat installed, so I wonder if, given that it "uses its own 
(and knows about TEREMA) is there a cert-PATH that could be extended so other
apps see icecat's cert info in addition to their own?

BTW3, Konrad,
That was a nice presentation -- are the tools you used to prepare it and 
present it
available as libre packages? (I'm not insisting you answer ;-)

Bengt Richter

reply via email to

[Prev in Thread] Current Thread [Next in Thread]