[vlc-devel] add support for https video streaming from websites with untrusted SSL certificates
Rémi Denis-Courmont
remi at remlab.net
Tue Dec 21 02:31:50 CET 2010
Hello,
On Tuesday 21 December 2010, Francois Cartegnie wrote:
> - Regarding my June patch for CA locations, you learned me that the CA path
> must be specified by packagers: This must be a system path and then
> unprivilegied users won't be able to add CA.
>
> So, there's one problem: Users can't set a TLS streaming server without
> having a certificate signed by a root CA, or installing another CA in the
> clients's system directory.
Uh? The GnuTLS plugin looks -recursively- for certificate in two locations:
- $(sysconfdir)/ssl/certs/ca-certificates.crt
- $XDG_DATA_HOME/vlc/ssl/certs
The first one is normally controlled by the system administrator, but the user
is free to add certificates to the second location. Unfortunately, I am not
aware of any standardized location for applications to store this. But I'd be
happy to implement it if XDG defines ones.
> That's why vlc should either provide support for an additional (and provide
> a minimal interface to) certificates directory or provide a way to accept
> self signed CA.
As I already said, a proper certificate manager is awfully complicated, not to
mention that it will be difficult to split the UI from the x509 back-end. On top
of that most users are unlikely to even understand certificate management.
System administrators also do not want to provision VLC separately. That is
not exactly the most important VLC use case for us to work so much on it.
So I really think VLC should use the system stores. It's probably simpler to
implement (on lacking platforms) than a custom certificate manager.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list