diff options
author | Nirbheek Chauhan <nirbheek@centricular.com> | 2022-05-25 18:40:30 +0530 |
---|---|---|
committer | GStreamer Marge Bot <gitlab-merge-bot@gstreamer-foundation.org> | 2022-07-30 11:27:12 +0000 |
commit | 5da9f6231337b75da34baac8c70f2c511958c2b8 (patch) | |
tree | fa85f0836aa7262ba457fd732580be89cffaddfc /subprojects/gst-rtsp-server | |
parent | 11ecda9d73c5cd80f0b1ae3dd8a276af2c6e8dc1 (diff) | |
download | gstreamer-5da9f6231337b75da34baac8c70f2c511958c2b8.tar.gz |
rtsp+rtmp: Forward warning added to tls-validation-flags to our users
With the 2.72 release, glib-networking developers have decided that
TLS certificate validation cannot be implemented correctly by them, so
they've deprecated it.
In a nutshell: a cert can have several validation errors, but there
are no guarantees that the TLS backend will return all those errors,
and things are made even more complicated by the fact that the list of
errors might refer to certs that are added for backwards-compat and
won't actually be used by the TLS library.
Our best option is to ignore the deprecation and pass the warning onto
users so they can make an appropriate security decision regarding
this.
We can't deprecate the tls-validation-flags property because it is
very useful when connecting to RTSP cameras that will never get
updates to fix certificate errors.
Relevant upstream merge requests / issues:
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2214
https://gitlab.gnome.org/GNOME/glib-networking/-/issues/179
https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/193
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2494>
Diffstat (limited to 'subprojects/gst-rtsp-server')
-rw-r--r-- | subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c index bb3953c5ed..0c24542d04 100644 --- a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c +++ b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c @@ -666,6 +666,16 @@ gst_rtsp_client_sink_class_init (GstRTSPClientSinkClass * klass) * TLS certificate validation flags used to validate server * certificate. * + * GLib guarantees that if certificate verification fails, at least one + * error will be set, but it does not guarantee that all possible errors + * will be set. Accordingly, you may not safely decide to ignore any + * particular type of error. + * + * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if + * you want to allow expired certificates, because this could potentially be + * the only error flag set even if other problems exist with the + * certificate. + * */ g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS, g_param_spec_flags ("tls-validation-flags", "TLS validation flags", |