[FFmpeg-trac] #3905(undetermined:new): HTTPS SSL certificate for source.ffmpeg.org is broken
FFmpeg
trac at avcodec.org
Sat Aug 30 15:34:41 CEST 2014
#3905: HTTPS SSL certificate for source.ffmpeg.org is broken
-------------------------------------+-------------------------------------
Reporter: | Owner:
ahthovaikied | Status: new
Type: defect | Component:
Priority: normal | undetermined
Version: unspecified | Resolution:
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Comment (by ahthovaikied):
Replying to [comment:7 cehoyos]:
> Do I understand correctly that if the issue gets fixed (can we fix this
at all or does videolan have to fix it?) you would trust the downloaded
source without comparing the hashes?
Let's be realistic here, you can not rely on people manually comparing the
hashes (with what anyway?). I bet most people who clone the source are
using scripts anyway.
By the way, Git commit hashes are SHA1 which is not considered
cryptographically strong, and were never intended to be used for security
purpose in Git.
Replying to [comment:7 cehoyos]:
> Is it so unlikely that the server gets hacked?
It's not, but it's a different attack surface.
> Anyway: I suggest you test git.videolan.org instead of source.ffmpeg.org
which will hopefully fix the issue. (Please don't suggest this solution to
others if it works for you.)
git.videolan.org fixes it.
I'm no HTTPS specialist but my understanding is that the problem comes
from the way you redirect from source.fmpeg.org to git.videolan.org.
You already have a valid certificate for *.fmpeg.org, so this should only
be a matter of configuration.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/3905#comment:8>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list