ciscobinary.openh264.org using invalid certificate

cisco / openh264

Open Source H.264 Codec

BSD 2-Clause "Simplified" License

5.52k stars 1.78k forks source link

ciscobinary.openh264.org using invalid certificate #3748

Open ErikCumps opened 5 months ago

ErikCumps commented 5 months ago

The ciscobinary.openh264.org web server is using an invalid certificate. (see screenshot)

This causes the automatic dowload (or update) of the plugin to fail for firefox.

As a workaround, a certificate exception can be added to firefox, but this may not always be possible.

BenzhengZhang commented 5 months ago

refer to #909

ErikCumps commented 5 months ago

I don't mind on which issue this gets fixed, as long as it gets fixed. :blush:

Browsers are more and more reluctant to connect with plain http sites (like it or not) and there is really, really no point at all in using a TLS certificate for a webserver that is not matching the identity of that server.

So please fix the invalid TLS certificate on https://ciscobinary.openh264.org/, so that web browsers can load that link without security warnings.

ErikCumps commented 4 months ago

Seeing as #909 is closed without fixing the certificate issue, I understand this issue will not get fixed there.

So please fix it here.

Browsers are more and more reluctant to connect with plain http sites (like it or not) and there is really, really no point at all in using a TLS certificate for a webserver that is not matching the identity of that server.

So please fix the invalid TLS certificate on https://ciscobinary.openh264.org/, so that web browsers can load that link without security warnings.

bobj1212 commented 3 months ago

Many firewalls started to block http urls so when installer tries to download the binary using http then the firewall blocks it and it is bad approach to ask users to disable firewall for the installer.. So you can not even do fingerprint checking as you have suggested since you can not even download the file.. Please fix the certificate issue. Thanks

nanonyme commented 4 weeks ago

Duplicate of https://github.com/cisco/openh264/issues/3662; solution is simple

Generate a TLS certificate with Let's Encrypt for correct hostname
Upload to Akamai
Add reminder to go to 1 before certificate expires

Cisco has chosen not to fix it but close issue instead.

ErikCumps commented 3 weeks ago

Indeed, this is one of many possible solutions.

To be frank, I fail to understand why this issue has not yet been fixed.

nanonyme commented 3 weeks ago

Indeed, this is one of many possible solutions.

To be frank, I fail to understand why this issue has not yet been fixed.

There aren't that many possible solutions. As is obvious from response it comes from Akamai. The only workable solution with it is to externally create and then upload certificate so Akamai can terminate TLS and CDN cache as normal.