Bug 139041

Summary: [GTK] TLS errors on Vimeo couch mode
Product: WebKit Reporter: Philippe Normand <pnormand>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: cgarcia, mcatanzaro, mrobinson, svillar
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Philippe Normand
Reported 2014-11-25 03:54:52 PST
http://vimeo.com/couchmode 0:00:03.852302965 18966 0x277a720 ERROR webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate 0:00:03.853085771 18966 0x277a720 ERROR webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007357?s=111690998_1416952410_98a4c046fe163476687a23934f460865&loc=local&context=couchmode.main) 0:00:04.592448827 18966 0x277a720 ERROR webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate 0:00:04.593346377 18966 0x277a720 ERROR webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007354?s=111690998_1416952410_6c8eafcbb79e1cbc2ca0ccc6073e293f&loc=local&context=couchmode.main) 0:00:05.324857756 18966 0x277a720 ERROR webkitwebsrc ../../Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:1031:loadFailed:<source> Have failure: Unacceptable TLS certificate 0:00:05.325622376 18966 0x277a720 ERROR webkitmediaplayer ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:926:handleMessage: Error 1: Unacceptable TLS certificate (url=https://player.vimeo.com/play/309007356?s=111690998_1416952410_5b14de05f03252132d5c3127c8289a94&loc=local&context=couchmode.main)
Attachments
Add attachment proposed patch, testcase, etc.
Philippe Normand
Comment 1 2014-11-25 04:18:27 PST
gnutls-cli player.vimeo.com Processed 172 CA certificate(s). Resolving 'player.vimeo.com'... Connecting to '74.113.233.133:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=US,ST=New York,L=New York,O=Vimeo\, LLC,CN=*.vimeo.com', issuer `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-02-05 00:00:00 UTC', expires `2017-02-08 12:00:00 UTC', SHA-1 fingerprint `2541f2dc97af57f19c1903ed823ca72e82d027b9' Public Key ID: f2f428bc859a874f7b0b724aa31f8b7ee8a96fa3 Public key's random art: +--[ RSA 2048]----+ | | | | | | | | | . S | | . = o | | .=.B + . | | +=o@.*. | |EBB+*o+... | +-----------------+ - Certificate[1] info: - subject `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', SHA-1 fingerprint `1fb86b1168ec743154062e8c9cc5b171a4b7ccb4' - Status: The certificate is trusted. - Description: (TLS1.2)-(RSA)-(ARCFOUR-128)-(SHA1) - Session ID: 64:B2:45:CB:89:DE:EE:88:30:32:5B:39:34:DD:0F:E1:24:4B:18:77:E3:4A:8C:05:B9:2F:30:DC:DB:30:39:00 - Version: TLS1.2 - Key Exchange: RSA - Cipher: ARCFOUR-128 - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: ^C
Michael Catanzaro
Comment 2 2014-11-26 17:46:56 PST
This turned out to be a Debian packaging bug [1] we've seen before. Philippe's GTE CyberTrust Global Root certificate was improperly disabled. As for why the gnutls-cli connection worked and why the chain only involves DigiCert: the video is not coming from player.vimeo.com, it's actually coming from pdlvimoecdn-a.akamaihd.net. (I'm a little surprised that wasn't reflected in the URL printed on the command line; I discovered this with the web inspector.) Anyway, I'd close this bug, but I haven't been granted bug edit powers yet. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339
Philippe Normand
Comment 3 2014-11-27 00:17:08 PST
(In reply to comment #2) > Anyway, I'd close this bug, but I haven't been granted bug edit powers yet. > Thou shall now have those powers, use them with seldom :)
Note You need to log in before you can comment on or make changes to this bug.