gstreamer: How to do streaming over TLS?

Question

In "gst-rtsp-server/examples/test-video.c", it seems one can set up TLS certificate and launch rtsp server. I wonder how it would work at the client side, including e.g. command line parameters and certificate authority, etc. Thank you for the tutorial.

Here is more information after some attempt, where the most important error I think is "Peer failed to perform TLS handshake".

server side

$ gst-rtsp-server/examples/test-video

client side

$ GST_DEBUG=3 gst-launch-1.0 rtspsrc location=rtsps://127.0.0.1:8554/test protocols=tls ! rtph264depay ! avdec_h264 ! xvimagesink
Setting pipeline to PAUSED ...
Pipeline is live and does not need PREROLL ...
Progress: (open) Opening Stream
Progress: (connect) Connecting to rtsps://127.0.0.1:8554/test
0:00:00.055578735 12767       0xa51230 ERROR                default gstrtspconnection.c:698:gst_rtsp_connection_connect: failed to connect: Peer failed to perform TLS handshake
0:00:00.055643339 12767       0xa51230 ERROR                rtspsrc gstrtspsrc.c:3677:gst_rtsp_conninfo_connect:<rtspsrc0> Could not connect to server. (Generic error)
0:00:00.055679389 12767       0xa51230 WARN                 rtspsrc gstrtspsrc.c:6148:gst_rtspsrc_retrieve_sdp:<rtspsrc0> error: Failed to connect. (Generic error)
0:00:00.055764506 12767       0xa51230 WARN                 rtspsrc gstrtspsrc.c:6227:gst_rtspsrc_open:<rtspsrc0> can't get sdp
0:00:00.055793412 12767       0xa51230 WARN                 rtspsrc gstrtspsrc.c:4525:gst_rtspsrc_loop:<rtspsrc0> we are not connected
ERROR: from element /GstPipeline:pipeline0/GstRTSPSrc:rtspsrc0: Could not open resource for reading and writing.
Additional debug info:
gstrtspsrc.c(6148): gst_rtspsrc_retrieve_sdp (): /GstPipeline:pipeline0/GstRTSPSrc:rtspsrc0:
Failed to connect. (Generic error)
ERROR: pipeline doesn't want to preroll.
Setting pipeline to PAUSED ...
Setting pipeline to READY ...
Setting pipeline to NULL ...
Freeing pipeline ...

I get a different error message: `ERROR default gstrtspconnection.c:877:gst_rtsp_connection_connect: failed to connect: Unacceptable TLS certificate` so that is already more sensible. — nh2, Mar 01 '15 at 19:37
Aha, I think I got it to work. I could circumvent the `Unacceptable TLS certificate` by passing `tls-validation-flags=generic-error` (ignores certificate errors). A real solution would probably to pass `tls-database` which is available in my gstreamer-1.4 but was not available in my gstreamer-1.2 (see `gst-inspect-1.0 rtspsrc` for these options). Of course I also had to pass `user-id=user user-pw=password` for the `test-video` example. And I had to remove `protocols=tls`, otherwise I would get `Could not connect to server, no protocols left`. — nh2, Mar 01 '15 at 21:26
That even works on Android: https://github.com/otonchev/rtspviewersf/issues/1 — nh2, Mar 03 '15 at 15:41
@nh2 I don't see the point of certs if tls-validation-flags=generic-error is used to circumvent it. I am now more concerned that anyone with a username and password but without certs can connect to the stream. Let me know if I am missing something? — enthusiasticgeek, Jul 30 '16 at 23:15
I found the trick to force cert checks and then only transmit video stream is to add `gst_rtsp_auth_set_tls_authentication_mode(auth, G_TLS_AUTHENTICATION_REQUIRED);` to test-video.c . see https://gstreamer.freedesktop.org/data/doc/gstreamer/1.5/gst-rtsp-server/html/GstRTSPAuth.html#gst-rtsp-auth-set-tls-authentication-mode — enthusiasticgeek, Jul 31 '16 at 02:33

gstreamer: How to do streaming over TLS?

0 Answers0