[vlc-devel] add support for https video streaming from websites with untrusted SSL certificates

Rémi Denis-Courmont remi at remlab.net
Mon Dec 20 22:06:57 CET 2010 

On Mon, 20 Dec 2010 21:06:11 +0100, Francois Cartegnie <fcvlcdev at free.fr>
wrote:
> As long as the default behaviour was to check, the code was ok:
> Users should be allowed to disable CA verification, as they might be
> unable to connect to a badly configured server they have no control of.

1/ Most users do not change preferences.
2/ Most users who do change preferences would not find that option.
3/ Users who would find the option would not understand it.

In other words, adding an option to work around a problem does not count as
solving the problem. TLS with invalid certificates servers never worked
from VLC. And they should not.

> Every tls client have an option to skip verifications.

This is obviously not true, but it is largely irrelevant.
How many media players provide such an option? I don't know any.

> Browsers does too.

There is no point in using TLS if you don't verify the certificates. In
fact, Mozilla is making it quite hard to ignore the certificate errors
these days. That's not an accident.

VLC does not implement a certificate manager because it should use the
system's (or the default browser's) certificates anyway. This is already
implemented on Debian and its derivatives. Furthermore, a custom manager UI
would be ridiculously complicated for the side-line use cases: receiving
HTTPS streams.

You are most welcome to implement support for the Windows certificate
store. Alternatively, you are also most welcome to provide a VLC TLS
plug-in for the Win32 CryptoAPI. Personally, I do not care about Windows
because I do not use it, neither am I paid to work with it.

> (1) Not mentioning this would help as a workaround on windows platforms
> where  tls is currently broken.

If TLS were "broken" then it would be irrelevant whether certificates are
valid or not. I don't know if TLS is actually broken on Windows, but I know
it has been in the past because no active developers cares about TLS on
Windows.

-- 
Rémi Denis-Courmont
http://www.remlab.net
http://fi.linkedin.com/in/remidenis

More information about the vlc-devel mailing list