[vlc-devel] [PATCH 1/2] gnutls: show a dialog allowing the user to bypass certificate issues
etix at videolan.org
Thu Jun 21 10:34:48 CEST 2012
On Thu, Jun 21, 2012 at 5:13 AM, Rémi Denis-Courmont <remi at remlab.net> wrote:
> Le jeudi 21 juin 2012 02:35:58 Ludovic Fauvet, vous avez écrit :
>> include/vlc_tls.h | 2 +-
>> modules/access/http.c | 4 +++-
>> modules/misc/gnutls.c | 37 ++++++++++++++++++++++++++++++++++---
>> src/network/tls.c | 9 +++++----
>> 4 files changed, 43 insertions(+), 9 deletions(-)
> I don't understand why you export the trust bit. If the certificate is not
> trustworthy, the connection should fail anyway.
The reason is that the GNU TLS module is loaded 5 times for a single
connection, thus asking the user's authorization 5 times in a row and
AFAIK exporting the trust bit to the http module is the most obvious
way to keep the state for the whole http session.
> I think the messages are way too simplistic for normal people to understand.
> Conversely, for expired certificates, the dates are needed. For mismatched
> namse, the names are needed. And for untrusted roots, the certificates need to
> be shown. Otherwise there is no way to determine whether the situation is safe
> or not.
A question dialog won't suffice then.
> I am also not sure this works very well with streaming output cases.
This code is for the TLS client only. Shouldn't be an issue for
streaming output cases.
-- Ludovic Fauvet
More information about the vlc-devel