[vlc-devel] [PATCH 1/2] gnutls: show a dialog allowing the user to bypass certificate issues

Ludovic Fauvet etix at videolan.org
Thu Jun 21 10:34:48 CEST 2012

On Thu, Jun 21, 2012 at 5:13 AM, Rémi Denis-Courmont <remi at remlab.net> wrote:
> Le jeudi 21 juin 2012 02:35:58 Ludovic Fauvet, vous avez écrit :
>> ---
>>  include/vlc_tls.h     |    2 +-
>>  modules/access/http.c |    4 +++-
>>  modules/misc/gnutls.c |   37 ++++++++++++++++++++++++++++++++++---
>>  src/network/tls.c     |    9 +++++----
>>  4 files changed, 43 insertions(+), 9 deletions(-)
> I don't understand why you export the trust bit. If the certificate is not
> trustworthy, the connection should fail anyway.

The reason is that the GNU TLS module is loaded 5 times for a single
connection, thus asking the user's authorization 5 times in a row and
AFAIK exporting the trust bit to the http module is the most obvious
way to keep the state for the whole http session.

> I think the messages are way too simplistic for normal people to understand.
> Conversely, for expired certificates, the dates are needed. For mismatched
> namse, the names are needed. And for untrusted roots, the certificates need to
> be shown. Otherwise there is no way to determine whether the situation is safe
> or not.

A question dialog won't suffice then.

> I am also not sure this works very well with streaming output cases.

This code is for the TLS client only. Shouldn't be an issue for
streaming output cases.

Best regards,
-- Ludovic Fauvet

More information about the vlc-devel mailing list