Hello Caspar,
I can load that file perfectly fine in Firefox, can you confirm that the
issue persists? I suspect they had issues and fixed their certificate.
If the issue persists, it can be that the GPodder App is missing a root CA
(AddTrust External TTP Network) and/or that your OS / device is missing
that root CA. Which device are you using?
The certificate for me shows up with the following information fyi:
notBefore=Dec 23 00:00:00 2019 GMT
notAfter=Dec 22 23:59:59 2021 GMT
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
subject=CN = *.podigee.io
And the certificate chain is valid:
openssl s_client -connect fazeinspruch.podigee.io:443
CONNECTED(00000005)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.podigee.io
verify return:1
---
Certificate chain
0 s:CN = *.podigee.io
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN
= Sectigo RSA Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN
= Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust RSA Certification Authority
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust RSA Certification Authority
i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
3 s:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
Thomas
Le jeu. 5 mars 2020 à 17:47, Dawo, Caspar <C.Dawo@xxxxxx> a écrit :
Hi,
I've got the same problem. Even deleting "s" from "https:" does not help. I
get this error message:
Einige Podcasts konnten nicht zur Liste hinzugefügt werden:
http://fazeinspruch.podigee.io/feed/mp3: ;<urlopen error [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed
certificate
in certificate chain (_ssl.c:1056)>
I noticed that iTunes (which is not my favoured podcatcher) does download
episodes from these podcasts. Can gPodder be adjusted to this problem in
any way?
Viele Grüße
Caspar
*Von:* gpodder-bounce@xxxxxxxxxxxxx <gpodder-bounce@xxxxxxxxxxxxx> *Im
Auftrag von *thomas blanchard
*Gesendet:* Mittwoch, 18. Dezember 2019 12:50
*An:* gpodder@xxxxxxxxxxxxx
*Betreff:* [gpodder] Re: ignore invalid certificate
Hello,
So tempering with SSL/TLS is a terrible idea imo. The risk is not around
downloading a podcast one doesn't want. The risk is with downloading
compromised files from an unknown source that will affect the security of
your device and the people you know.
For past examples:
https://fortune.com/2015/10/01/stagefright-android-vulnerability-song/
If a website is not able to maintain a valid TLS certificate (it's fairly
easy and even free now with Let's Encrypt), they should offer a non-TLS
version. Try first by changing the URL to http://your-podcast.website/etc.
Then try reaching out to the website in question so that they can fix this
issue.
What could be possible however is to allow a podcast to downgrade to HTTP
if HTTPS doesn't work.
Thomas
Le mar. 17 déc. 2019 à 22:28, Fourhundred Thecat <400thecat@xxxxxx> a
écrit :
Hello,
when downloading podcasts over https or even subscribing to feed, when
the certificate is invalid gpodder fails with download error.
While it is good to know that certificate is invalid, I think there
should be an option to ignore invalid certificates.
Lets be realistic. What is gpodder protecting me from ?
A "man in the middle attack", where somebody tampers with my favorite
podcast and implants fake episode ?
Unlike web browser, gpodder is not used by people to manage e-banking,
or to file taxes.
Simply refusing to download from feed with invalid certificate is
overreaction, or perhaps even security theater.
I suggest, there should be a way to ignore invalid certificates.
In the meantime, If not, how can I circumvent it?
I am happy to change the python code, if necessary, if somebody can
point me to the right section.
thank you
Frankfurter Allgemeine Zeitung GmbH
Hellerhofstraße 2-4
60327 Frankfurt am Main
HRB 7344 . Amtsgericht Frankfurt am Main
Vorsitzender des Aufsichtsrats: Prof. Dr. Dr. Andreas Barner
Geschäftsführung: Thomas Lindner (Vorsitzender), Dr. Volker Breid
------------------------------
