[vlc-devel] add support for https video streaming from websites with untrusted SSL certificates

Rémi Denis-Courmont remi at remlab.net
Tue Dec 21 02:31:50 CET 2010


On Tuesday 21 December 2010, Francois Cartegnie wrote:
> - Regarding my June patch for CA locations, you learned me that the CA path
> must be specified by packagers: This must be a system path and then
> unprivilegied users won't be able to add CA.
> So, there's one problem: Users can't set a TLS streaming server without
> having a certificate signed by a root CA, or installing another CA in the
> clients's system directory.

Uh? The GnuTLS plugin looks -recursively- for certificate in two locations:
- $(sysconfdir)/ssl/certs/ca-certificates.crt
- $XDG_DATA_HOME/vlc/ssl/certs

The first one is normally controlled by the system administrator, but the user 
is free to add certificates to the second location. Unfortunately, I am not 
aware of any standardized location for applications to store this. But I'd be 
happy to implement it if XDG defines ones.

> That's why vlc should either provide support for an additional (and provide
> a minimal interface to) certificates directory or provide a way to accept
> self signed CA.

As I already said, a proper certificate manager is awfully complicated, not to 
mention that it will be difficult to split the UI from the x509 back-end. On top 
of that most users are unlikely to even understand certificate management. 
System administrators also do not want to provision VLC separately. That is 
not exactly the most important VLC use case for us to work so much on it.

So I really think VLC should use the system stores. It's probably simpler to 
implement (on lacking platforms) than a custom certificate manager.

Rémi Denis-Courmont

More information about the vlc-devel mailing list