From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bengt Richter Subject: Re: Feedback from JRES in Dijon Date: Sun, 8 Dec 2019 15:09:23 -0800 Message-ID: <20191208230923.GA944@PhantoNv4ArchGx.localdomain> References: <8D474474-AF4C-4B03-9D38-3BB089BEE4EB@lepiller.eu> <87tv6ec048.fsf@ambrevar.xyz> <14A62244-3626-4146-B40E-BC5CED4B78D3@lepiller.eu> <20191206070455.GA28637@PhantoNv4ArchGx.localdomain> <87zhg4ccw9.fsf@ngyro.com> <20191208024849.GA11149@PhantoNv4ArchGx.localdomain> <87lfrnv4m0.fsf@ngyro.com> Reply-To: Bengt Richter Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:43695) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ie5gJ-0004fT-65 for guix-devel@gnu.org; Sun, 08 Dec 2019 18:09:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ie5gH-0001LC-IZ for guix-devel@gnu.org; Sun, 08 Dec 2019 18:09:38 -0500 Received: from imta-38.everyone.net ([216.200.145.38]:39738) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ie5gH-0001Dv-9x for guix-devel@gnu.org; Sun, 08 Dec 2019 18:09:37 -0500 Content-Disposition: inline In-Reply-To: <87lfrnv4m0.fsf@ngyro.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Timothy Sample Cc: Guix Devel Hi Tim, Konrad, On +2019-12-07 23:11:19 -0500, Timothy Sample wrote: > Hi Bengt, >=20 > I omitted a lot of your message, but I hope I have the easy explanation > you=E2=80=99re looking for. :) >=20 > Bengt Richter writes: >=20 > > On +2019-12-07 11:35:02 -0500, Timothy Sample wrote: > >>=20 > >> [...] > >>=20 > >> Unfortunately, I got certificate errors, but VLC lets you temporaril= y > >> ignore those. > > > > [...] > > > > Anyone see an easy explanation? >=20 > After a little more digging, it seems that the certificate sent for > =E2=80=9Cccwebcast.in2p3.fr=E2=80=9D is signed with an intermediate cer= tificate from > =E2=80=9CTERENA=E2=80=9D. This is in turn signed with a DigiCert root = certificate. > Unfortunately it looks like =E2=80=9Cccwebcast.in2p3.fr=E2=80=9D doesn=E2= =80=99t send the whole > certificate chain, and the TERENA cert is not part of our =E2=80=9Cnss-= certs=E2=80=9D > package, so tools using certs from that package (basically everything o= n > a normal Guix install) will be unwilling to trust =E2=80=9Cccwebcast.in= 2p3.fr=E2=80=9D. > IceCat is okay with it, but it uses its own certificates (it must know > about the TERENA cert, so it doesn=E2=80=99t need the whole chain). >=20 > Fortunately, for exceptional situations like this, you can tell most > tools to skip certificate validation (like I mentioned with VLC). For > youtube-dl, you can use the =E2=80=9C--no-check-certificate=E2=80=9D op= tion. Note > however that this is rather dangerous in general, since you are telling > youtube-dl allow anyone to pretend to be anyone else! In this case, > since it=E2=80=99s just a video and IceCat is okay with the certificate= it=E2=80=99s > probably fine. Just be careful. :) >=20 >=20 > -- Tim Thank you very much for digging and providing the dangerous solution :) (I suppressed my paranoia this once, and it did work BTW :) BTW2, I have icecat installed, so I wonder if, given that it "uses its ow= n certificates" (and knows about TEREMA) is there a cert-PATH that could be extended so o= ther apps see icecat's cert info in addition to their own? BTW3, Konrad, That was a nice presentation -- are the tools you used to prepare it and = present it available as libre packages? (I'm not insisting you answer ;-) --=20 Regards, Bengt Richter