openh264 icon indicating copy to clipboard operation
openh264 copied to clipboard
verified publisher icon cisco

ciscobinary.openh264.org using invalid certificate

Open ErikCumps opened this issue 1 year ago • 9 comments

The ciscobinary.openh264.org web server is using an invalid certificate. (see screenshot)

This causes the automatic dowload (or update) of the plugin to fail for firefox.

As a workaround, a certificate exception can be added to firefox, but this may not always be possible.

image

ErikCumps avatar Apr 26 '24 13:04 ErikCumps

refer to #909

BenzhengZhang avatar Apr 29 '24 15:04 BenzhengZhang

I don't mind on which issue this gets fixed, as long as it gets fixed. :blush:

Browsers are more and more reluctant to connect with plain http sites (like it or not) and there is really, really no point at all in using a TLS certificate for a webserver that is not matching the identity of that server.

So please fix the invalid TLS certificate on https://ciscobinary.openh264.org/, so that web browsers can load that link without security warnings.

ErikCumps avatar Apr 29 '24 18:04 ErikCumps

Seeing as #909 is closed without fixing the certificate issue, I understand this issue will not get fixed there.

So please fix it here.

Browsers are more and more reluctant to connect with plain http sites (like it or not) and there is really, really no point at all in using a TLS certificate for a webserver that is not matching the identity of that server.

So please fix the invalid TLS certificate on https://ciscobinary.openh264.org/, so that web browsers can load that link without security warnings.

ErikCumps avatar May 17 '24 08:05 ErikCumps

Many firewalls started to block http urls so when installer tries to download the binary using http then the firewall blocks it and it is bad approach to ask users to disable firewall for the installer.. So you can not even do fingerprint checking as you have suggested since you can not even download the file.. Please fix the certificate issue. Thanks

bobj1212 avatar Jun 12 '24 01:06 bobj1212

Duplicate of https://github.com/cisco/openh264/issues/3662; solution is simple

  1. Generate a TLS certificate with Let's Encrypt for correct hostname
  2. Upload to Akamai
  3. Add reminder to go to 1 before certificate expires

Cisco has chosen not to fix it but close issue instead.

nanonyme avatar Sep 06 '24 21:09 nanonyme

Indeed, this is one of many possible solutions.

To be frank, I fail to understand why this issue has not yet been fixed.

ErikCumps avatar Sep 08 '24 18:09 ErikCumps

Indeed, this is one of many possible solutions.

To be frank, I fail to understand why this issue has not yet been fixed.

There aren't that many possible solutions. As is obvious from response it comes from Akamai. The only workable solution with it is to externally create and then upload certificate so Akamai can terminate TLS and CDN cache as normal.

nanonyme avatar Sep 08 '24 21:09 nanonyme