To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/fa31ddc6-a7d6-46e9-9b7a-28e34562b2a2%40googlegroups.com.--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss...@googlegroups.com.
In any case, I will try it and confirm :)
Assuming it won't work, would you be happy to accept my patch adding LetsEncrypt's root CAs?
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/de1e64d0-6374-4831-bbbf-1aa62f7dbe41%40googlegroups.com.
Google maintains a sample PEM file at (https://pki.goog/roots.pem) which is periodically updated to include the Google Trust Services owned and operated roots as well as other roots that may be necessary now, or in the future to communicate with and use Google Products and Services.
What are the recommended minimum requirements for a Transport Layer Security (TLS) client to communicate with Google?
Thanks for testing so thoroughly!This seems to be confirming that the issue is that Google isn't including the DST root in its list of trust certificates - not something we can solve inside the WebRTC project.You should have the same issue when connecting to the server from Chrome. (Do you?)The official announcement of the roots.pem file seems to be this 2017 blog: https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.htmlI haven't yet found the policy statement on what certificates are included in this file.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/de1e64d0-6374-4831-bbbf-1aa62f7dbe41%40googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/28e7344b-f83e-4a13-b7ef-ca595858db19%40googlegroups.com.
If this can be solved by switching which source of truth we're using for root CAs (and that passes security review), that would be great (and could be solved within the WebRTC project).If we need to have pki.goog/roots.pem modified, that's another team that needs convincing.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/28e7344b-f83e-4a13-b7ef-ca595858db19%40googlegroups.com.
Thanks for testing so thoroughly!This seems to be confirming that the issue is that Google isn't including the DST root in its list of trust certificates - not something we can solve inside the WebRTC project.You should have the same issue when connecting to the server from Chrome. (Do you?)The official announcement of the roots.pem file seems to be this 2017 blog: https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.htmlI haven't yet found the policy statement on what certificates are included in this file.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/de1e64d0-6374-4831-bbbf-1aa62f7dbe41%40googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/83c4fa02-559a-4489-92d3-9d25a7d86aaf%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/CAOqqYVGNevO%3D-rsdJFA_YbZ0WRSExh7rWkSjQ7T12ZrhycR70A%40mail.gmail.com.
Andrea,we got advice from the Chrome security folks: They recommend *strongly* that applications do *not* embed compiled-in certificate lists, the way ssl_roots.h seems to encourage.Instead, the applications need to have their own policy for who they trust, and how they update the list.So the question then becomes: Who is in a position to make this call for Android Jitsi Meet and Android Riot IM?I think we should try to support people who have made a decision on this - and we should warn people that the list inside webrtc is a sample list, not one they should trust blindly.How should we do this?
Harald
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/83c4fa02-559a-4489-92d3-9d25a7d86aaf%40googlegroups.com.
This is a problem with LetsEncrypt's root CA not being part of the trust store used by webrtc clients such as Android's Jitsi app and Android's official Matrix client which both use WebRTC's default hardcoded list of root CAs (and that does not include LetsEncrypt's root CA)
Thanks for your joining the discussion, unfortunately we are already using the fullchain.
This is a problem with LetsEncrypt's root CA not being part of the trust store used by webrtc clients such as Android's Jitsi app and Android's official Matrix client which both use WebRTC's default hardcoded list of root CAs (and that does not include LetsEncrypt's root CA)
--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/2cf6c328-b403-40f1-83ab-5d68ecc274e8o%40googlegroups.com.
Hi there, any update? :) I'm happy to help to push this forward
--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/6df6696c-6325-4c60-93a4-11d5741fcd06o%40googlegroups.com.
My current plan is to borrow the chromium code for using the OS trust store instead of relying on the built-in roots, at least for Android and iOS. Additionally we might add an API that would let an application inject their own list of roots.This isn't my top priority at the moment, so if you want to help, here's a bug we can coordinate on: https://bugs.chromium.org/p/webrtc/issues/detail?id=11710
On Mon, Jun 22, 2020 at 1:41 AM Andrea Bernabei <and.b...@gmail.com> wrote:
Hi there, any update? :) I'm happy to help to push this forward
--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/8fa17693-d1a5-4911-84a9-dee8d8f3025bn%40googlegroups.com.