[FFmpeg-trac] #3905(undetermined:new): HTTPS SSL certificate for source.ffmpeg.org is broken

FFmpeg trac at avcodec.org
Sat Aug 30 15:34:41 CEST 2014

#3905: HTTPS SSL certificate for source.ffmpeg.org is broken
             Reporter:               |                    Owner:
  ahthovaikied                       |                   Status:  new
                 Type:  defect       |                Component:
             Priority:  normal       |  undetermined
              Version:  unspecified  |               Resolution:
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |

Comment (by ahthovaikied):

 Replying to [comment:7 cehoyos]:
 > Do I understand correctly that if the issue gets fixed (can we fix this
 at all or does videolan have to fix it?) you would trust the downloaded
 source without comparing the hashes?
 Let's be realistic here, you can not rely on people manually comparing the
 hashes (with what anyway?). I bet most people who clone the source are
 using scripts anyway.
 By the way, Git commit hashes are SHA1 which is not considered
 cryptographically strong, and were never intended to be used for security
 purpose in Git.

 Replying to [comment:7 cehoyos]:
 > Is it so unlikely that the server gets hacked?
 It's not, but it's a different attack surface.

 > Anyway: I suggest you test git.videolan.org instead of source.ffmpeg.org
 which will hopefully fix the issue. (Please don't suggest this solution to
 others if it works for you.)
 git.videolan.org fixes it.

 I'm no HTTPS specialist but my understanding is that the problem comes
 from the way you redirect from source.fmpeg.org to git.videolan.org.
 You already have a valid certificate for *.fmpeg.org, so this should only
 be a matter of configuration.

Ticket URL: <https://trac.ffmpeg.org/ticket/3905#comment:8>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list