Bug 139041

Summary: [GTK] TLS errors on Vimeo couch mode
Product: WebKit Reporter: Philippe Normand <pnormand>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: cgarcia, mcatanzaro, mrobinson, svillar
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Philippe Normand 2014-11-25 03:54:52 PST
http://vimeo.com/couchmode

0:00:03.852302965 18966      0x277a720 ERROR           webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate
0:00:03.853085771 18966      0x277a720 ERROR      webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007357?s=111690998_1416952410_98a4c046fe163476687a23934f460865&loc=local&context=couchmode.main)
0:00:04.592448827 18966      0x277a720 ERROR           webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate
0:00:04.593346377 18966      0x277a720 ERROR      webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007354?s=111690998_1416952410_6c8eafcbb79e1cbc2ca0ccc6073e293f&loc=local&context=couchmode.main)
0:00:05.324857756 18966      0x277a720 ERROR           webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate
0:00:05.325622376 18966      0x277a720 ERROR      webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007356?s=111690998_1416952410_5b14de05f03252132d5c3127c8289a94&loc=local&context=couchmode.main)
Comment 1 Philippe Normand 2014-11-25 04:18:27 PST
gnutls-cli player.vimeo.com
Processed 172 CA certificate(s).
Resolving 'player.vimeo.com'...
Connecting to '74.113.233.133:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=US,ST=New York,L=New York,O=Vimeo\, LLC,CN=*.vimeo.com', issuer `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-02-05 00:00:00 UTC', expires `2017-02-08 12:00:00 UTC', SHA-1 fingerprint `2541f2dc97af57f19c1903ed823ca72e82d027b9'
        Public Key ID:
                f2f428bc859a874f7b0b724aa31f8b7ee8a96fa3
        Public key's random art:
                +--[ RSA 2048]----+
                |                 |
                |                 |
                |                 |
                |                 |
                |      . S        |
                |     . = o       |
                |   .=.B + .      |
                |  +=o@.*.        |
                |EBB+*o+...       |
                +-----------------+

- Certificate[1] info:
 - subject `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', SHA-1 fingerprint `1fb86b1168ec743154062e8c9cc5b171a4b7ccb4'
- Status: The certificate is trusted. 
- Description: (TLS1.2)-(RSA)-(ARCFOUR-128)-(SHA1)
- Session ID: 64:B2:45:CB:89:DE:EE:88:30:32:5B:39:34:DD:0F:E1:24:4B:18:77:E3:4A:8C:05:B9:2F:30:DC:DB:30:39:00
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:


^C
Comment 2 Michael Catanzaro 2014-11-26 17:46:56 PST
This turned out to be a Debian packaging bug [1] we've seen before. Philippe's GTE CyberTrust Global Root certificate was improperly disabled. As for why the gnutls-cli connection worked and why the chain only involves DigiCert: the video is not coming from player.vimeo.com, it's actually coming from pdlvimoecdn-a.akamaihd.net. (I'm a little surprised that wasn't reflected in the URL printed on the command line; I discovered this with the web inspector.)

Anyway, I'd close this bug, but I haven't been granted bug edit powers yet.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339
Comment 3 Philippe Normand 2014-11-27 00:17:08 PST
(In reply to comment #2)

> Anyway, I'd close this bug, but I haven't been granted bug edit powers yet.
> 

Thou shall now have those powers, use them with seldom :)