#806930 pianobar needs update for new server SSL certificate

Package:
pianobar
Source:
pianobar
Description:
console based player for Pandora radio
Submitter:
Steve Langasek
Date:
2022-07-19 04:09:03 UTC
Severity:
grave
#806930#5
Date:
2015-12-03 05:12:43 UTC
From:
To:
The SSL certificate for the pandora server that pianobar talks to has been
rotated, the previous one having (presumably) expired.  The new certificate
has a start date of 30 Nov 2015.

SSL certificate details as shown by gnutls-cli:

$ gnutls-cli tuner.pandora.com -p 443
Processed 187 CA certificate(s).
Resolving 'tuner.pandora.com'...
Connecting to '208.85.40.35:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,L=Oakland,O=Pandora Media\, Inc.,OU=operations,CN=tuner.pandora.com', issuer `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)10,CN=VeriSign Class 3 Secure Server CA - G3', RSA key 2048 bits, signed using RSA-SHA1, activated `2015-12-01 00:00:00 UTC', expires `2016-12-24 23:59:59 UTC', SHA-1 fingerprint `13cc51ac0c31cd96c55015c76914360f7ac41a00'
	Public Key ID:
		7dc38c5f8029887cd68cc803d106058ca889ee39
	Public key's random art:
		+--[ RSA 2048]----+
		|.o=*.            |
		|o .+oo =   o     |
		|o. .* = + o .    |
		|+    +   o + .   |
		|.       S o = .  |
		| .         o o   |
		|. .         .    |
		| E               |
		|  .              |
		+-----------------+

- Certificate[1] info:
 - subject `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)10,CN=VeriSign Class 3 Secure Server CA - G3', issuer `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC', expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint `5deb8f339e264c19f6686f5f8f32b54a4c46b476'
- Certificate[2] info:
 - subject `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-08 00:00:00 UTC', expires `2021-11-07 23:59:59 UTC', SHA-1 fingerprint `32f30882622b87cf8856c63db873df0853b4dd27'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(RSA)-(AES-256-GCM)
- Session ID:
- 32:58:B0:65:4D:20:24:22:42:53:83:52:ED:88:94:DB:7C:FB:7F:25:1C:F1:27:7E:66:57:0A:0E:D9:ED:B8:A8
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed

firefox reports the same SHA1 fingerprint, and likewise successfully
negotiates an SSL connection to this server with no security warnings.

Updating ~/.config/pianobar/config to list this fingerprint is sufficient to
work around the problem:

  tls_fingerprint = 13cc51ac0c31cd96c55015c76914360f7ac41a00