139041 2014-11-25 03:54:52 -0800 [GTK] TLS errors on Vimeo couch mode 2014-11-27 00:17:08 -0800 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) Unspecified Unspecified RESOLVED WORKSFORME P2 Normal --- 1 pnormand webkit-unassigned cgarcia mcatanzaro mrobinson svillar oldest_to_newest 1050981 0 pnormand 2014-11-25 03:54:52 -0800 http://vimeo.com/couchmode 0:00:03.852302965 18966 0x277a720 ERROR webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate 0:00:03.853085771 18966 0x277a720 ERROR webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007357?s=111690998_1416952410_98a4c046fe163476687a23934f460865&loc=local&context=couchmode.main) 0:00:04.592448827 18966 0x277a720 ERROR webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate 0:00:04.593346377 18966 0x277a720 ERROR webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007354?s=111690998_1416952410_6c8eafcbb79e1cbc2ca0ccc6073e293f&loc=local&context=couchmode.main) 0:00:05.324857756 18966 0x277a720 ERROR webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate 0:00:05.325622376 18966 0x277a720 ERROR webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007356?s=111690998_1416952410_5b14de05f03252132d5c3127c8289a94&loc=local&context=couchmode.main) 1050982 1 pnormand 2014-11-25 04:18:27 -0800 gnutls-cli player.vimeo.com Processed 172 CA certificate(s). Resolving 'player.vimeo.com'... Connecting to '74.113.233.133:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=US,ST=New York,L=New York,O=Vimeo\, LLC,CN=*.vimeo.com', issuer `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-02-05 00:00:00 UTC', expires `2017-02-08 12:00:00 UTC', SHA-1 fingerprint `2541f2dc97af57f19c1903ed823ca72e82d027b9' Public Key ID: f2f428bc859a874f7b0b724aa31f8b7ee8a96fa3 Public key's random art: +--[ RSA 2048]----+ | | | | | | | | | . S | | . = o | | .=.B + . | | +=o@.*. | |EBB+*o+... | +-----------------+ - Certificate[1] info: - subject `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', SHA-1 fingerprint `1fb86b1168ec743154062e8c9cc5b171a4b7ccb4' - Status: The certificate is trusted. - Description: (TLS1.2)-(RSA)-(ARCFOUR-128)-(SHA1) - Session ID: 64:B2:45:CB:89:DE:EE:88:30:32:5B:39:34:DD:0F:E1:24:4B:18:77:E3:4A:8C:05:B9:2F:30:DC:DB:30:39:00 - Version: TLS1.2 - Key Exchange: RSA - Cipher: ARCFOUR-128 - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: ^C 1051138 2 mcatanzaro 2014-11-26 17:46:56 -0800 This turned out to be a Debian packaging bug [1] we've seen before. Philippe's GTE CyberTrust Global Root certificate was improperly disabled. As for why the gnutls-cli connection worked and why the chain only involves DigiCert: the video is not coming from player.vimeo.com, it's actually coming from pdlvimoecdn-a.akamaihd.net. (I'm a little surprised that wasn't reflected in the URL printed on the command line; I discovered this with the web inspector.) Anyway, I'd close this bug, but I haven't been granted bug edit powers yet. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339 1051145 3 pnormand 2014-11-27 00:17:08 -0800 (In reply to comment #2) > Anyway, I'd close this bug, but I haven't been granted bug edit powers yet. > Thou shall now have those powers, use them with seldom :)