From mboxrd@z Thu Jan  1 00:00:00 1970
From: Timothy Sample <samplet@ngyro.com>
Subject: Re: Feedback from JRES in Dijon
Date: Sat, 07 Dec 2019 23:11:19 -0500
Message-ID: <87lfrnv4m0.fsf@ngyro.com>
References: <8D474474-AF4C-4B03-9D38-3BB089BEE4EB@lepiller.eu>
 <87tv6ec048.fsf@ambrevar.xyz>
 <14A62244-3626-4146-B40E-BC5CED4B78D3@lepiller.eu>
 <m1lfrqrd3f.fsf@khs-macbook.home>
 <CAJ3okZ2hKBPZNthZpBQ=xibxzjJu7_gO8HoEcAzxaZcNbR_0gg@mail.gmail.com>
 <20191206070455.GA28637@PhantoNv4ArchGx.localdomain>
 <m1immty73a.fsf@ordinateur-de-catherine--konrad.home>
 <87zhg4ccw9.fsf@ngyro.com>
 <20191208024849.GA11149@PhantoNv4ArchGx.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:60731)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <samplet@ngyro.com>) id 1idnuv-0006Du-5i
 for guix-devel@gnu.org; Sat, 07 Dec 2019 23:11:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <samplet@ngyro.com>) id 1idnun-0000WR-HW
 for guix-devel@gnu.org; Sat, 07 Dec 2019 23:11:29 -0500
Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:59709)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <samplet@ngyro.com>) id 1idnul-0000Ts-Nt
 for guix-devel@gnu.org; Sat, 07 Dec 2019 23:11:25 -0500
In-Reply-To: <20191208024849.GA11149@PhantoNv4ArchGx.localdomain> (Bengt
 Richter's message of "Sat, 7 Dec 2019 18:48:49 -0800")
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Bengt Richter <bokr@bokr.com>
Cc: Guix Devel <guix-devel@gnu.org>

Hi Bengt,

I omitted a lot of your message, but I hope I have the easy explanation
you=E2=80=99re looking for.  :)

Bengt Richter <bokr@bokr.com> writes:

> On +2019-12-07 11:35:02 -0500, Timothy Sample wrote:
>>=20
>> [...]
>>=20
>> Unfortunately, I got certificate errors, but VLC lets you temporarily
>> ignore those.
>
> [...]
>
> Anyone see an easy explanation?

After a little more digging, it seems that the certificate sent for
=E2=80=9Cccwebcast.in2p3.fr=E2=80=9D is signed with an intermediate certifi=
cate from
=E2=80=9CTERENA=E2=80=9D.  This is in turn signed with a DigiCert root cert=
ificate.
Unfortunately it looks like =E2=80=9Cccwebcast.in2p3.fr=E2=80=9D doesn=E2=
=80=99t send the whole
certificate chain, and the TERENA cert is not part of our =E2=80=9Cnss-cert=
s=E2=80=9D
package, so tools using certs from that package (basically everything on
a normal Guix install) will be unwilling to trust =E2=80=9Cccwebcast.in2p3.=
fr=E2=80=9D.
IceCat is okay with it, but it uses its own certificates (it must know
about the TERENA cert, so it doesn=E2=80=99t need the whole chain).

Fortunately, for exceptional situations like this, you can tell most
tools to skip certificate validation (like I mentioned with VLC).  For
youtube-dl, you can use the =E2=80=9C--no-check-certificate=E2=80=9D option=
.  Note
however that this is rather dangerous in general, since you are telling
youtube-dl allow anyone to pretend to be anyone else!  In this case,
since it=E2=80=99s just a video and IceCat is okay with the certificate it=
=E2=80=99s
probably fine.  Just be careful.  :)


-- Tim