342 replies to this topic

[athoik]

There is already a bug: https://bugzilla.gno...g.cgi?id=775721

I guess next time we/I should check bugs before investigating

[Taapat]

Before check bugs need to know exactly what needs to check  .

In any case thank you, I can confirm that this patch fix my problem with 112 live stream.

[athoik]

Also @samsamsam hit the bug:

https://bugzilla.gno...g.cgi?id=775774

He would probably warn us, but he left OpenPLi

[samsamsam]

@athoik

 

Yes I also prepared patch for this. It is not hard to do.

Edited by samsamsam, 28 March 2017 - 20:56.

[athoik]

Nice to see you here.

Once you realize that ca-certificates is not used, things are getting easy!

Edited by athoik, 28 March 2017 - 21:17.

[littlesat]

Do we need to do something or do we just need to wait?

[samsamsam]

Hello @athoik,

 

I just left IPTVPlayer because of you know who.

 

There is one more problem with  TLS backend based on OpenSSL.

You need to add another patch to call function

SSL_set_tlsext_host_name(ssl, servername)

to set server domain otherwise SNI will not be works.

 

This is also simple patch:

You can check were gnutls_server_name_set  (this is GnuTLS equivalent) is called in GnuTLS backend.

 

Regards,

SSS

Edited by samsamsam, 28 March 2017 - 21:29.

[athoik]

@samsamsam, humans what a strange animal....

Regarding SNI, I guess the following will do the job

It seems that nobody is really looking on their bugtracker, but I will post the patch a see if they going to review it.

Till then, most probably patches can be added to our bitbake.

BTW, I followed your advice and totally get rid of gnutls to master-next, by switch to OpenSSL other packages as well. Images reduced few MB!

diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index cb9e647..26f4449 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -422,6 +422,7 @@ g_tls_client_connection_openssl_initable_init (GInitable       *initable,
   GTlsClientConnectionOpenssl *client = G_TLS_CLIENT_CONNECTION_OPENSSL (initable);
   GTlsClientConnectionOpensslPrivate *priv;
   long options;
+  const char *hostname;

   priv = g_tls_client_connection_openssl_get_instance_private (client);

@@ -437,25 +438,21 @@ g_tls_client_connection_openssl_initable_init (GInitable       *initable,
     }

   options = SSL_OP_NO_TICKET;
+  hostname = get_server_identity (client);

   /* Only TLS 1.2 or higher */
   SSL_CTX_set_options (priv->ssl_ctx, options);

 #if OPENSSL_VERSION_NUMBER >= 0x10200000L
-  {
-    const char *hostname;
-
-    hostname = get_server_identity (client);
-    if (hostname)
-      {
-        X509_VERIFY_PARAM *param;
-
-        param = X509_VERIFY_PARAM_new ();
-        X509_VERIFY_PARAM_set1_host (param, hostname);
-        SSL_CTX_set1_param (priv->ssl_ctx, param);
-        X509_VERIFY_PARAM_free (param);
-      }
-  }
+  if (hostname)
+    {
+      X509_VERIFY_PARAM *param;
+
+      param = X509_VERIFY_PARAM_new ();
+      X509_VERIFY_PARAM_set1_host (param, hostname);
+      SSL_CTX_set1_param (priv->ssl_ctx, param);
+      X509_VERIFY_PARAM_free (param);
+    }
 #endif

   SSL_CTX_set_generate_session_id (priv->ssl_ctx, generate_session_id);
@@ -477,6 +474,11 @@ g_tls_client_connection_openssl_initable_init (GInitable       *initable,
   data_index = SSL_get_ex_new_index (0, "gtlsclientconnection", NULL, NULL, NULL);
   SSL_set_ex_data (priv->ssl, data_index, client);

+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+  if (hostname)
+    SSL_set_tlsext_host_name (priv->ssl, hostname);
+#endif
+
   SSL_set_connect_state (priv->ssl);

   if (!g_tls_client_connection_openssl_parent_initable_iface->

[samsamsam]

@athoik

 

Yes, this patch looks exactly as it should.

 

I use this TLS backed with this two patches since at least three months. 

And everything works just like it should. I do not have any further problems.

But, first of all OpenSSL is much, much faster than GnuTLS.

 

Regards,

SSS

Edited by samsamsam, 28 March 2017 - 22:44.

[WanWizard]

Guys, may I just say

[athoik]

PR: https://github.com/O...e-core/pull/194

Both patches reported upstream, so others user will benefit as well. Until then patches added in recipe in master-next.

[WanWizard]

Merged. I assume you keep an eye on upstream?

[athoik]

Sure, I will receive an email from gnome bugzilla once tickets change status

[Orkf]

Does the slot ci+ work on beta OpenPLI 5 ?

[WanWizard]

The slot works.

 

If you mean if a CI+ module works in CI+ mode in that slot, the answer is no. Not until someone creates a generic solution that doesn't violate any legal constraints (i.e. doesn't contain a CI+ certificate, either as file or obscured in a binary).

[athoik]

Merged. I assume you keep an eye on upstream?

Upstream patches commited, will update to new tag later today.

[athoik]

glib-openssl updated to 2.50.2 that includes the patches added previously in order to solve SNI and CA certificates issues.

PR: https://github.com/O...e-core/pull/199

Edited by athoik, 7 April 2017 - 20:53.

[WanWizard]

Merged.

[athoik]

Great, lets hope that faster libsouphttp will make gstreamer experience better

[WanWizard]

Now if we could go back to the original topic and fix that too?