Usage examples tls-interaction property for rtspsrc and souphttpsrc

I haven't been able to find an example with GTlsInteraction*
accept-certificate.

Some ideas bouncing here
http://gstreamer-devel.966125.n4.nabble.com/gst-rtsp-server-test-video-error-quot-Unacceptable-TLS-certificate-quot-td4678359.html

It's a shame that no examples have been listed to clearly explain how to use
this.

example how can I obtain GTlsConnection from GstElement of current TLS
session and use it to handle and verify certificates from the server side or
client side?

Any ideas with example code?



--
Sent from: http://gstreamer-devel.966125.n4.nabble.com/
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

> Some ideas bouncing here
> http://gstreamer-devel.966125.n4.nabble.com/gst-rtsp-server-test-video-error-quot-Unacceptable-TLS-certificate-quot-td4678359.html
>
This is what I use in my project. https://github.com/mndar/tlsinteraction

Right now it contains only the object source code.

I'll upload an example some time in the next few days.

Regards
Mandar Joshi
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

@Mandar Joshi

Is this code supposed to be compiled using gstreamer custom plugin Makefile?

I usually compile code using this

g++ -g $file.c -o $file `pkg-config gstreamer-1.0 gstreamer-rtsp-1.0
gstreamer-rtsp-server-1.0 --libs --cflags`

I know you mentioned that you will upload code to call this object but I am
not even able to envision how to use this code.

Will this be a separate plugin called 'surviellance-tls-interaction' in
gstreamer pipeline or will this be called in the  client code given in
http://gstreamer-devel.966125.n4.nabble.com/Need-help-on-RTSP-server-and-TLS-including-verify-peer-ca-cert-and-cert-key-td4678923.html?



--
Sent from: http://gstreamer-devel.966125.n4.nabble.com/
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

> I usually compile code using this
>
> g++ -g $file.c -o $file `pkg-config gstreamer-1.0 gstreamer-rtsp-1.0
> gstreamer-rtsp-server-1.0 --libs --cflags`
>

Your compile command is fine.

You have to use SurveillanceTlsInteraction like you would use any other GObject.

An excerpt from my code:
----------------------------------------------------------------------------------------------------------------------------------------
#include "surveillance-tls-interaction.h"
...
...
//Create GStreamer elements
//Prepare two GTlsCertficates using one of the functions mentioned
here https://developer.gnome.org/gio/stable/GTlsCertificate.html.
sca->tls_cert is your TLS certificate which the server will validate
and sca->ca_tls_cert is the certificate you use to validate the
server's certificate

    SurveillanceTlsInteraction *interaction =
surveillance_tls_interaction_new (sca->tls_cert, sca->ca_tls_cert);
    g_object_set (rtspclientsink, "tls-interaction", interaction, NULL);

------------------------------------------------------------------------------------------------------------------------------------------

Regards
Mandar Joshi
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

@Mandar Joshi

I get errors. I copied both files to /home/enthusiasticgeek/gstreamer folder

*g++ -g rtsp_client.c surveillance-tls-interaction.c -o rtsp_client
-I/home/enthusiasticgeek/gstreamer `pkg-config gstreamer-controller-1.0
gstreamer-plugins-base-1.0 gstreamer-base-1.0 gstreamer-1.0
gstreamer-rtsp-1.0 gstreamer-rtsp-server-1.0 --libs --cflags`*
surveillance-tls-interaction.c:38:87: error: expected ‘,’ or ‘...’ before
‘class’
 static void surveillance_tls_interaction_class_init
(SurveillanceTlsInteractionClass *class)
                                                                                     
^
In file included from /usr/include/glib-2.0/gobject/gobject.h:24:0,
                 from /usr/include/glib-2.0/gobject/gbinding.h:29,
                 from /usr/include/glib-2.0/glib-object.h:23,
                 from surveillance-tls-interaction.h:4,
                 from surveillance-tls-interaction.c:1:
surveillance-tls-interaction.c: In function ‘void
surveillance_tls_interaction_class_init(SurveillanceTlsInteractionClass*)’:
surveillance-tls-interaction.c:40:65: error: expected primary-expression
before ‘class’
   GTlsInteractionClass *object_class = G_TLS_INTERACTION_CLASS (class);
                                                                 ^
/usr/include/glib-2.0/gobject/gtype.h:2209:51: note: in definition of macro
‘_G_TYPE_CCC’
     ((ct*) g_type_check_class_cast ((GTypeClass*) cp, gt))
                                                   ^
/usr/include/glib-2.0/gio/gtlsinteraction.h:34:41: note: in expansion of
macro ‘G_TYPE_CHECK_CLASS_CAST’
 #define G_TLS_INTERACTION_CLASS(k)     (G_TYPE_CHECK_CLASS_CAST((k),
G_TYPE_TLS_INTERACTION, GTlsInteractionClass))
                                         ^
surveillance-tls-interaction.c:40:40: note: in expansion of macro
‘G_TLS_INTERACTION_CLASS’
   GTlsInteractionClass *object_class = G_TLS_INTERACTION_CLASS (class);
                                        ^
surveillance-tls-interaction.c:40:65: error: expected ‘)’ before ‘class’
   GTlsInteractionClass *object_class = G_TLS_INTERACTION_CLASS (class);
                                                                 ^
/usr/include/glib-2.0/gobject/gtype.h:2209:51: note: in definition of macro
‘_G_TYPE_CCC’
     ((ct*) g_type_check_class_cast ((GTypeClass*) cp, gt))
                                                   ^
/usr/include/glib-2.0/gio/gtlsinteraction.h:34:41: note: in expansion of
macro ‘G_TYPE_CHECK_CLASS_CAST’
 #define G_TLS_INTERACTION_CLASS(k)     (G_TYPE_CHECK_CLASS_CAST((k),
G_TYPE_TLS_INTERACTION, GTlsInteractionClass))
                                         ^
surveillance-tls-interaction.c:40:40: note: in expansion of macro
‘G_TLS_INTERACTION_CLASS’
   GTlsInteractionClass *object_class = G_TLS_INTERACTION_CLASS (class);
                                        ^
surveillance-tls-interaction.c:40:71: error: expected ‘)’ before ‘;’ token
   GTlsInteractionClass *object_class = G_TLS_INTERACTION_CLASS (class);
                                                                       ^
surveillance-tls-interaction.c:40:71: error: expected ‘)’ before ‘;’ token
surveillance-tls-interaction.c:40:71: error: expected ‘)’ before ‘;’ token
surveillance-tls-interaction.c:40:71: error: expected ‘)’ before ‘;’ token
surveillance-tls-interaction.c: In function ‘SurveillanceTlsInteraction*
surveillance_tls_interaction_new(GTlsCertificate*, GTlsCertificate*)’:
surveillance-tls-interaction.c:45:58: error: invalid conversion from
‘gpointer {aka void*}’ to ‘SurveillanceTlsInteraction* {aka
_SurveillanceTlsInteraction*}’ [-fpermissive]
   SurveillanceTlsInteraction *interaction = g_object_new
(SURVEILLANCE_TLS_INTERACTION, NULL);
                                                          ^
Makefile:2: recipe for target 'all' failed
make: *** [all] Error 1




--
Sent from: http://gstreamer-devel.966125.n4.nabble.com/
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

> I get errors. I copied both files to /home/enthusiasticgeek/gstreamer folder
>
> *g++ -g rtsp_client.c surveillance-tls-interaction.c -o rtsp_client
> -I/home/enthusiasticgeek/gstreamer `pkg-config gstreamer-controller-1.0
> gstreamer-plugins-base-1.0 gstreamer-base-1.0 gstreamer-1.0
> gstreamer-rtsp-1.0 gstreamer-rtsp-server-1.0 --libs --cflags`*

Compile using gcc instead of g++

Regards
Mandar Joshi
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

Thanks @Mandar Joshi.

Yes that compiled.
I got verification return value as 0 in tls_accept_certificate function. But
still couldn't get it to work and see the video.

//=========================================

*Do you also set the following on client side?*

  //validate all
  *g_object_set (G_OBJECT (source), "tls-validation-flags",
G_TLS_CERTIFICATE_VALIDATE_ALL, NULL);*

  //not sure if tls-database is required to be set if ca_cert is already
specified.
  //not sure if cacert and database will be different or the same.

  *GTlsDatabase* database = g_tls_file_database_new
("/home/enthusiasticgeek/gstreamer/cert/toyCA.pem", &error);*
  *ca_cert =
g_tls_certificate_new_from_file("/home/enthusiasticgeek/gstreamer/cert/toyCA.pem",&error);*
  *g_object_set (G_OBJECT (source), "tls-database", database, NULL);*

//=========================================

*Do you also set the following on server side?*

  //not sure if tls-database is required to be set if ca_cert is already
specified.
  //not sure if cacert and database will be different or the same.

 * GTlsDatabase* database = g_tls_file_database_new
("/home/enthusiasticgeek/gstreamer/cert/toyCA.pem", &error);*
 * gst_rtsp_auth_set_tls_database (auth, database);*
  *ca_cert =
g_tls_certificate_new_from_file("/home/enthusiasticgeek/gstreamer/cert/toyCA.pem",&error);*

 //Is this required for strict check?
*gst_rtsp_auth_set_tls_authentication_mode(auth,
G_TLS_AUTHENTICATION_REQUIRED); *

//=========================================




--
Sent from: http://gstreamer-devel.966125.n4.nabble.com/
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

> I got verification return value as 0 in tls_accept_certificate function. But
> still couldn't get it to work and see the video.

Are you returning TRUE in the accept_certificate callback in
surveillance-tls-interaction.c ?

> *Do you also set the following on client side?*
>
>   //validate all
>   *g_object_set (G_OBJECT (source), "tls-validation-flags",
> G_TLS_CERTIFICATE_VALIDATE_ALL, NULL);*
>

I am not setting "tls-validation-flags". This could be the reason you
are not getting video.

>   //not sure if tls-database is required to be set if ca_cert is already
> specified.
>   //not sure if cacert and database will be different or the same.

I had to use tls-database with souphttsrc. Didn't need it with rtspsrc
and rtspclientsink.
I had to set ssl-strict to FALSE with souphttpsrc due to the nature of
the certificates I am using.


> *Do you also set the following on server side?*
>
>  * GTlsDatabase* database = g_tls_file_database_new
> ("/home/enthusiasticgeek/gstreamer/cert/toyCA.pem", &error);*
>  * gst_rtsp_auth_set_tls_database (auth, database);*
>   *ca_cert =
> g_tls_certificate_new_from_file("/home/enthusiasticgeek/gstreamer/cert/toyCA.pem",&error);*

I am not doing this on gst-rtsp-server

>  //Is this required for strict check?
> *gst_rtsp_auth_set_tls_authentication_mode(auth,
> G_TLS_AUTHENTICATION_REQUIRED); *
>
This is required only if you want the client to send a certificate
while establishing the TLS connection.

Regards
Mandar Joshi
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

@Mandar Joshi I did all those things I have no idea why it is not working

Here is the full source

*rtsp_client.c*

//First run
// ./rtsp_server
//Second run
//./rtsp_client rtsps://127.0.0.1:8554/test


//Display RTSP streaming of video
 //(c) 2011 virgo
 // This code is distributed in the hope that it will be useful,
 // but WITHOUT ANY WARRANTY; without even the implied warranty of
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  

#include <string.h>
#include <math.h>
#include <gst/gst.h>
#include <glib.h>
#include <gio/gio.h>
#include "surveillance-tls-interaction.h"

static gboolean bus_call (GstBus *bus,GstMessage *msg, gpointer data){
  GMainLoop *loop = (GMainLoop *) data;

  switch (GST_MESSAGE_TYPE (msg)) {

    case GST_MESSAGE_EOS:
      g_print ("Stream Ends\n");
      g_main_loop_quit (loop);
      break;

    case GST_MESSAGE_ERROR: {
      gchar  *debug;
      GError *error;

      gst_message_parse_error (msg, &error, &debug);
      g_free (debug);

      g_printerr ("Error: %s\n", error->message);
      g_error_free (error);

      g_main_loop_quit (loop);
      break;
    }
    default:
      break;
  }

  return TRUE;
}

static void on_pad_added (GstElement *element, GstPad *pad, gpointer data){

  GstPad *sinkpad;
  GstElement *decoder = (GstElement *) data;

  /* We can now link this pad with the rtsp-decoder sink pad */
  g_print ("Dynamic pad created, linking source/demuxer\n");

  sinkpad = gst_element_get_static_pad (decoder, "sink");

  gst_pad_link (pad, sinkpad);

  gst_object_unref (sinkpad);
}


int main (int argc, char *argv[])
{
  GMainLoop *loop;
  GstBus *bus;
  GstElement *source;
  GstElement *decoder;
  GstElement *sink;
  GstElement *pipeline;
  GstElement *demux;
  GstElement *parse;
  GstElement *videoconvert;

  GTlsConnection *conn;


  /* Initializing GStreamer */
  gst_init (&argc, &argv);
  loop = g_main_loop_new (NULL, FALSE);

 //gst-launch-0.10 rtspsrc location=rtsp://<ip> ! decodebin !
ffmpegvideoconvert ! autovideosink
 //gst-launch -v rtspsrc location="rtsp://<ip> ! rtpmp4vdepay !
mpeg4videoparse ! ffdec_mpeg4 ! ffmpegvideoconvert! autovideosink
 //gst-launch -v rtspsrc location="rtsp://<ip> ! rtpmp4vdepay ! ffdec_mpeg4
! ffmpegvideoconvert! autovideosink
  /* Create Pipe's Elements */
  pipeline = gst_pipeline_new ("video player");
  g_assert (pipeline);
  source   = gst_element_factory_make ("rtspsrc", "Source");
  g_assert (source);
  demux = gst_element_factory_make ("rtph264depay", "Depay");
  g_assert (demux);
  parse = gst_element_factory_make ("h264parse", "Parse");
  g_assert (parse);
  decoder = gst_element_factory_make ("avdec_h264", "Decoder");
  g_assert (decoder);
  videoconvert     = gst_element_factory_make ("videoconvert",
"VideoConvert");
  g_assert(videoconvert);
  sink     = gst_element_factory_make ("autovideosink", "Output");
  g_assert (sink);

  /*Make sure: Every elements was created ok*/
  if (!pipeline || !source || !demux || !parse || !decoder || !videoconvert
|| !sink) {
    g_printerr ("One of the elements wasn't create... Exiting\n");
    return -1;
  }

  g_print(" \nPipeline is Part(A) ->(dynamic/runtime link)  Part(B)[
Part(B-1) -> Part(B-2) -> Part(B-3) ]\n\n");
  g_print("
[source](dynamic)->(dynamic)[demux]->[parse]->[decoder]->[videoconvert]->[videosink]
\n\n");

  /* Set video Source */
  g_object_set (G_OBJECT (source), "location", argv[1], NULL);
  //g_object_set (G_OBJECT (source), "do-rtcp", TRUE, NULL);
  //g_object_set (G_OBJECT (source), "latency", 0, NULL);
  g_object_set (G_OBJECT (source), "user-id", "user", NULL);
  g_object_set (G_OBJECT (source), "user-pw", "password", NULL);


/*

typedef enum {
  G_TLS_CERTIFICATE_UNKNOWN_CA    = (1 << 0),
  G_TLS_CERTIFICATE_BAD_IDENTITY  = (1 << 1),
  G_TLS_CERTIFICATE_NOT_ACTIVATED = (1 << 2),
  G_TLS_CERTIFICATE_EXPIRED       = (1 << 3),
  G_TLS_CERTIFICATE_REVOKED       = (1 << 4),
  G_TLS_CERTIFICATE_INSECURE      = (1 << 5),
  G_TLS_CERTIFICATE_GENERIC_ERROR = (1 << 6),

  G_TLS_CERTIFICATE_VALIDATE_ALL  = 0x007f
} GTlsCertificateFlags;
G_TLS_CERTIFICATE_UNKNOWN_CA
        The signing certificate authority is not known.

G_TLS_CERTIFICATE_BAD_IDENTITY
        The certificate does not match the expected identity of the site that it
was retrieved from.

G_TLS_CERTIFICATE_NOT_ACTIVATED
        The certificate's activation time is still in the future

G_TLS_CERTIFICATE_EXPIRED
        The certificate has expired

G_TLS_CERTIFICATE_REVOKED
        The certificate has been revoked according to the GTlsConnection's
certificate revocation list.

G_TLS_CERTIFICATE_INSECURE
        The certificate's algorithm is considered insecure.

G_TLS_CERTIFICATE_GENERIC_ERROR
        Some other error occurred validating the certificate

G_TLS_CERTIFICATE_VALIDATE_ALL
        the combination of all of the above flags
*/


  //g_object_set (G_OBJECT (source), "protocols" ,0x00000020, NULL);
  // generic error
  //g_object_set (G_OBJECT (source), "tls-validation-flags",
G_TLS_CERTIFICATE_GENERIC_ERROR, NULL);
  //validate all
  //g_object_set (G_OBJECT (source), "tls-validation-flags",
G_TLS_CERTIFICATE_VALIDATE_ALL, NULL);
  //insecure
  //g_object_set (G_OBJECT (source), "tls-validation-flags",
G_TLS_CERTIFICATE_INSECURE, NULL);
  GTlsCertificate *cert;
  GError *error=NULL;
  cert =
g_tls_certificate_new_from_files("/home/virgo/gstreamer/cert/toyIntermediate.pem","/home/virgo/gstreamer/cert/toyDecryptedIntermediate.key",&error);
  //cert =
g_tls_certificate_new_from_files("/home/virgo/gstreamer/cert/toyCA.pem","/home/virgo/gstreamer/cert/toyCA.key",&error);
  if (cert == NULL) {
    g_printerr ("failed to parse PEM: %s\n", error->message);
    return -1;
  }
  //GTlsDatabase* database = g_tls_file_database_new
("/home/virgo/gstreamer/cert/toyCA.pem", &error);
 
  GTlsCertificate *ca_cert;
  ca_cert =
g_tls_certificate_new_from_file("/home/virgo/gstreamer/cert/toyCA.pem",&error);
  if (ca_cert == NULL) {
    g_printerr ("failed to parse CA PEM: %s\n", error->message);
    return -1;
  }

  //g_object_set (G_OBJECT (source), "tls-database", database, NULL);
  SurveillanceTlsInteraction *interaction =
  surveillance_tls_interaction_new (cert, ca_cert);

  g_object_set (G_OBJECT (source), "tls-interaction", interaction, NULL);

  /* Putting a Message handler */
  bus = gst_pipeline_get_bus (GST_PIPELINE (pipeline));
  gst_bus_add_watch (bus, bus_call, loop);
  gst_object_unref (bus);

  /* Add Elements to the Bin */
  gst_bin_add_many (GST_BIN (pipeline), source, demux, parse, decoder,
videoconvert, sink, NULL);

  /* Link confirmation */
  if (!gst_element_link_many (demux, parse, decoder, videoconvert, sink,
NULL)){
     g_warning ("Linking part (B) Fail...");
  }

  g_print("\nNote that the source will be linked to the demuxer(depayload)
dynamically.\n"
     "The reason is that rtspsrc may contain various elements (for
example\n"
     "audio and video). The source pad(s) will be created at run time,\n"
     "by the rtspsrc when it detects the amount and nature of elements.\n"
     "Therefore we connect a callback function which will be executed\n"
     "when the \"pad-added\" is emitted.\n");

  /* Dynamic Pad Creation */
  if(! g_signal_connect (source, "pad-added", G_CALLBACK
(on_pad_added),demux))
  {
    g_warning ("Linking part (A) with part (B) Fail...");
  }
  /* Run the pipeline */
  g_print ("Playing: %s\n", argv[1]);
  gst_element_set_state (pipeline, GST_STATE_PLAYING);
  g_main_loop_run (loop);

  /* Ending Playback */
  g_print ("End of the Streaming... ending the playback\n");
  gst_element_set_state (pipeline, GST_STATE_NULL);

  /* Eliminating Pipeline */
  g_print ("Eliminating Pipeline\n");
  gst_object_unref (GST_OBJECT (pipeline));

  return 0;
}                        

*rtsp_server.c*


#include <gst/gst.h>
#include <gst/rtsp-server/rtsp-server.h>
#include <gio/gio.h>

/* define this if you want the resource to only be available when using
 * user/password as the password */
#undef WITH_AUTH
#define WITH_AUTH 1

/* define this if you want the server to use TLS (it will also need
WITH_AUTH
 * to be defined) */
#undef WITH_TLS
#define WITH_TLS 1

/* this timeout is periodically run to clean up the expired sessions from
the
 * pool. This needs to be run explicitly currently but might be done
 * automatically as part of the mainloop. */
static gboolean
timeout (GstRTSPServer * server)
{
  GstRTSPSessionPool *pool;

  pool = gst_rtsp_server_get_session_pool (server);
  gst_rtsp_session_pool_cleanup (pool);
  g_object_unref (pool);

  return TRUE;
}

int
main (int argc, char *argv[])
{
  GMainLoop *loop;
  GstRTSPServer *server;
  GstRTSPMountPoints *mounts;
  GstRTSPMediaFactory *factory;
#ifdef WITH_AUTH
  GstRTSPAuth *auth;
  GstRTSPToken *token;
  gchar *basic;
  GstRTSPPermissions *permissions;
#endif
#ifdef WITH_TLS
  GTlsCertificate *cert;
  GTlsCertificate *ca_cert;
  GError *error = NULL;
#endif

  gst_init (&argc, &argv);

  loop = g_main_loop_new (NULL, FALSE);

  /* create a server instance */
  server = gst_rtsp_server_new ();

#ifdef WITH_AUTH
  /* make a new authentication manager. it can be added to control access to
all
   * the factories on the server or on individual factories. */
  auth = gst_rtsp_auth_new ();
#ifdef WITH_TLS
  g_print("Here in TLS portion\n");
  cert =
g_tls_certificate_new_from_files("/home/virgo/gstreamer/cert/toyIntermediate.pem","/home/virgo/gstreamer/cert/toyDecryptedIntermediate.key",&error);
  //cert =
g_tls_certificate_new_from_files("/home/virgo/gstreamer/cert/toyCA.pem","/home/virgo/gstreamer/cert/toyCA.key",&error);
  if (cert == NULL) {
    g_printerr ("failed to parse PEM: %s\n", error->message);
    return -1;
  }
  //GTlsDatabase* database = g_tls_file_database_new
("/home/virgo/gstreamer/cert/toyCA.pem", &error);
  //gst_rtsp_auth_set_tls_database (auth, database);
  //ca_cert =
g_tls_certificate_new_from_file("/home/virgo/gstreamer/cert/toyCA.pem",&error);
  //if (ca_cert == NULL) {
  //  g_printerr ("failed to parse CA PEM: %s\n", error->message);
  //  return -1;
  //}
  //gst_rtsp_auth_set_tls_authentication_mode(auth,
G_TLS_AUTHENTICATION_REQUIRED);
  //gst_rtsp_auth_set_tls_authentication_mode(auth,
G_TLS_AUTHENTICATION_REQUESTED);
  //GTlsCertificateFlags verification = g_tls_certificate_verify(cert, NULL,
ca_cert);
  //g_print("verification code = %d\n", verification);
  gst_rtsp_auth_set_tls_certificate (auth, cert);
  g_object_unref (cert);
#endif

  /* make user token */
  token =
      gst_rtsp_token_new (GST_RTSP_TOKEN_MEDIA_FACTORY_ROLE, G_TYPE_STRING,
      "user", NULL);
  basic = gst_rtsp_auth_make_basic ("user", "password");
  gst_rtsp_auth_add_basic (auth, basic, token);
  g_free (basic);
  gst_rtsp_token_unref (token);

  /* configure in the server */
  gst_rtsp_server_set_auth (server, auth);
#endif

  /* get the mount points for this server, every server has a default object
   * that be used to map uri mount points to media factories */
  mounts = gst_rtsp_server_get_mount_points (server);

  /* make a media factory for a test stream. The default media factory can
use
   * gst-launch syntax to create pipelines.
   * any launch line works as long as it contains elements named pay%d. Each
   * element with pay%d names will be a stream */
  factory = gst_rtsp_media_factory_new ();
  gst_rtsp_media_factory_set_launch (factory, "( "
      "videotestsrc ! video/x-raw,width=352,height=288,framerate=15/1 ! "
      "x264enc ! rtph264pay name=pay0 pt=96 "
      "audiotestsrc ! audio/x-raw,rate=8000 ! "
      "alawenc ! rtppcmapay name=pay1 pt=97 " ")");
#ifdef WITH_AUTH
  /* add permissions for the user media role */
  permissions = gst_rtsp_permissions_new ();
  gst_rtsp_permissions_add_role (permissions, "user",
      GST_RTSP_PERM_MEDIA_FACTORY_ACCESS, G_TYPE_BOOLEAN, TRUE,
      GST_RTSP_PERM_MEDIA_FACTORY_CONSTRUCT, G_TYPE_BOOLEAN, TRUE, NULL);
  gst_rtsp_media_factory_set_permissions (factory, permissions);
  gst_rtsp_permissions_unref (permissions);
#ifdef WITH_TLS
  gst_rtsp_media_factory_set_profiles (factory, GST_RTSP_PROFILE_SAVP);
#endif
#endif

  /* attach the test factory to the /test url */
  gst_rtsp_mount_points_add_factory (mounts, "/test", factory);

  /* don't need the ref to the mapper anymore */
  g_object_unref (mounts);

  /* attach the server to the default maincontext */
  if (gst_rtsp_server_attach (server, NULL) == 0)
    goto failed;

  /* add a timeout for the session cleanup */
  g_timeout_add_seconds (2, (GSourceFunc) timeout, server);

  /* start serving, this never stops */
#ifdef WITH_TLS
  g_print ("stream ready at rtsps://127.0.0.1:8554/test\n");
#else
  g_print ("stream ready at rtsp://127.0.0.1:8554/test\n");
#endif
  g_main_loop_run (loop);

  return 0;

  /* ERRORS */
failed:
  {
    g_print ("failed to attach the server\n");
    return -1;
  }
}

*I kept your surveillance-tls files same*

The certs are

*toyCA.pem*

-----BEGIN CERTIFICATE-----
MIICxTCCAi4CCQCnMN2oz9uJbTANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAk1EMRYwFAYDVQQHDA1TaWx2ZXIgU3ByaW5nMRUwEwYDVQQK
DAxoYXdrZXllZ3VhcmQxFTATBgNVBAsMDGhhd2tleWVndWFyZDEdMBsGA1UEAwwU
d3d3Lmhhd2tleWVndWFyZC5jb20xJTAjBgkqhkiG9w0BCQEWFmFkbWluQGhhd2tl
eWVndWFyZC5jb20wHhcNMTcwOTEwMTMwMDQ4WhcNMTgwOTEwMTMwMDQ4WjCBpjEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMRYwFAYDVQQHDA1TaWx2ZXIgU3ByaW5n
MRUwEwYDVQQKDAxoYXdrZXllZ3VhcmQxFTATBgNVBAsMDGhhd2tleWVndWFyZDEd
MBsGA1UEAwwUd3d3Lmhhd2tleWVndWFyZC5jb20xJTAjBgkqhkiG9w0BCQEWFmFk
bWluQGhhd2tleWVndWFyZC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ANQD2yE+/VBnReE62XIr7V0yS4Ckc6hZAxYjZMKzs/fU7PNp6EHI66h4HLgZAP07
z+9UHF7oQYExJVdOmtIf+wTv6VSeF3UwP/q9XYqR5MQXh1+FfpHUWbC7d9BE5Azv
MWHLlxeuahJPaEeKkl2VAA6iS/8HjKRod+LFqNHov2u3AgMBAAEwDQYJKoZIhvcN
AQELBQADgYEAvpYKm/LtKmGwsPQeVMj6DDY1VRp45TTQkSiCMfY8ege4TXoWAc5I
6lAq3/+XSmNEBkb0LhhwmsDIxSU4BHPIulLLdi7VkwGjk/WKRUXITUWp1O8m94ga
ZynBX+pMzDcmtWkJ5oiwsb6/SlvWqXqUKVHyX3iSW5aMtMF5j4K9lWo=
-----END CERTIFICATE-----

*toyIntermediate.pem*

-----BEGIN CERTIFICATE-----
MIICvDCCAiUCAQEwDQYJKoZIhvcNAQELBQAwgaYxCzAJBgNVBAYTAlVTMQswCQYD
VQQIDAJNRDEWMBQGA1UEBwwNU2lsdmVyIFNwcmluZzEVMBMGA1UECgwMaGF3a2V5
ZWd1YXJkMRUwEwYDVQQLDAxoYXdrZXllZ3VhcmQxHTAbBgNVBAMMFHd3dy5oYXdr
ZXllZ3VhcmQuY29tMSUwIwYJKoZIhvcNAQkBFhZhZG1pbkBoYXdrZXllZ3VhcmQu
Y29tMB4XDTE3MDkxMDEzMDM0MVoXDTI3MDkwODEzMDM0MVowgaUxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJNRDEWMBQGA1UEBwwNU2lsdmVyIFNwcmluZzEUMBIGA1UE
CgwLaGF3ZXllZ3VhcmQxFTATBgNVBAsMDGhhd2tleWVndWFyZDEdMBsGA1UEAwwU
d3d3Lmhhd2tleWVndWFyZC5jb20xJTAjBgkqhkiG9w0BCQEWFmFkbWluQGhhd2tl
eWVndWFyZC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOPfvasAi1qe
E1JsimWzuFjf0xfCiiAzX264IJne6ywiUsmrZhbhkaW9xycTxft7+8LxFpDCPetE
B6a+eG8eMJt7SnHj6lPqXKposp77DauUJM+odt2LbWoYLXurE1E8YOUCleqIvwzO
p3UljYmU+OSlRpqvLcrnl7D5BLZJvj6hAgMBAAEwDQYJKoZIhvcNAQELBQADgYEA
Eom9e/0txvjZsdS3LXp/nWvtSV4tZFbDUVIyhnSBHXmKL7da05zqMRRXdvXH3cRH
jXSfijf4cJhETrEn44ucX5YM0WQSLEhsa7VWsOfXF6EUANt8f/fDUFRsZS+/Oppo
8KU5xhoIL4ZJxDLAhv+Fp4vZLefLeyq0x4ZEzzempIE=
-----END CERTIFICATE-----

*toyDecryptedIntermediate.key*

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDj372rAItanhNSbIpls7hY39MXwoogM19uuCCZ3ussIlLJq2YW
4ZGlvccnE8X7e/vC8RaQwj3rRAemvnhvHjCbe0px4+pT6lyqaLKe+w2rlCTPqHbd
i21qGC17qxNRPGDlApXqiL8Mzqd1JY2JlPjkpUaary3K55ew+QS2Sb4+oQIDAQAB
AoGADExZ/y2jV7uqTUuAWKbPbzR9Pw4HyF8damtTjxph1NrxXuL6OofoBWrtoaVG
jSEO4GGEl0F0eAsO4qfq9gxKETAM4i2XwATTgtppQFumaowy/vIQaiQmL3dHuGvn
PxxSrQ1DW9/fAGmFeu1CxtI6lQCaySvB9FgVAR8v+wOTY4UCQQD36HIYwTYzbi/C
Tk1o+bG/kTDDZsDQfLMGBudwndj8mwGKdhbcpkBYLqVQHsPSWdVaK7gbIQj5Scin
aNew5QiPAkEA60/jYxYuZGHx3Jhf+x1MXmq3f7VDaVjSd+Z5VMGJpqMewEFT6K+d
BHwb2VzRH4ZvQLKtaeq7jxo3DUbiLPn9zwJACBhTAXPtrSg/7vxXksH0h+jZysek
LCqmPeAj1o2Q9E6rcjYA8RuMplR/mWonwsqkKNmcnWYqwNkj8DOAN4qDCQJBAN44
lLHnqaotAR7lW4cnVQ65U0+sm9vqAOEwa5bKKzeORqUjTJ2q8urgVeCBEhDmgTwl
QTWMctIi3KiSL1hwQesCQA0nZbwaLBA+x0x825ejvWBAq10/A719Wyo+ZNkZwf1O
Hrl7YDVmb8S1+kxvK5czcnSQV9YJZDKzzOMmAZ4AC8I=
-----END RSA PRIVATE KEY-----







--
Sent from: http://gstreamer-devel.966125.n4.nabble.com/
_______________________________________________
gstreamer-devel mailing list
gstreamer-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

> I did all those things I have no idea why it is not working
>
> Here is the full source

I overlooked certain things in my previous email.

For the tls-interaction to work in the way I am using it, you need to
have 2 more things on the server

1. You have to have on the server
gst_rtsp_auth_set_tls_authentication_mode(auth, G_TLS_AUTHENTICATION_REQUIRED);

2. You also have to have on the server, a callback for accepting
client's certificate. To do this,
g_signal_connect (auth, "accept-certificate", G_CALLBACK
(accept_certificate), NULL);


gboolean
accept_certificate (GstRTSPAuth         *auth,
                              GTlsConnection      *connection,
                              GTlsCertificate     *peer_cert,
                              GTlsCertificateFlags errors,
                              gpointer             user_data) {
   //return TRUE or FALSE here depending on peer_cert
   return TRUE;
}

I have just tested this with the code you posted and it works.
I'll upload a clean example on github soon.

Regards
Mandar Joshi
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

Thanks @Mandar Joshi.

I was able to get this to work.

I did modify the following function in server side. Obviously it doesn't do
peer verification but it works over SSL
.
I also plan to host my code on github (same username) (License likely will be MIT license). I will sufficiently give you credits including your name in README as well as link to your repository that helped immensely in SSL portion of writing my code. Let me know if this is okay or not.


gboolean
accept_certificate (GstRTSPAuth         *auth,
                              GTlsConnection      *conn,
                              GTlsCertificate     *peer_cert,
                              GTlsCertificateFlags errors,
                              gpointer             user_data) {

  GError *error = NULL;
  gboolean accept = FALSE;
  GTlsCertificate *ca_tls_cert = (GTlsCertificate *) user_data;

  GTlsDatabase* database = g_tls_file_database_new
("/home/virgo/gstreamer/cert/toyCA.pem", &error);
  if (database) {
    GSocketConnectable *peer_identity;
    GTlsCertificateFlags validation_flags;
    g_debug ("TLS peer certificate not accepted, checking user
database...\n");
    peer_identity = NULL;
    errors =
        g_tls_database_verify_chain (database, peer_cert,
        G_TLS_DATABASE_PURPOSE_AUTHENTICATE_CLIENT, peer_identity,
        g_tls_connection_get_interaction (conn), G_TLS_DATABASE_VERIFY_NONE,
        NULL, &error);
    g_print("errors value %d\n",errors);

    g_object_unref (database);
    if (error)
    {
      g_warning ("failure verifying certificate chain: %s",
                     error->message);
      g_assert (errors != 0);
      g_clear_error (&error);
    }
  }

  if (error == 0){
     return TRUE;
  }
  return FALSE;
}




--
Sent from: http://gstreamer-devel.966125.n4.nabble.com/
_______________________________________________
gstreamer-devel mailing list
gstreamer-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

> I was able to get this to work.
>
> I did modify the following function in server side. Obviously it doesn't do
> peer verification but it works
>

Replying to your nabble post:

> I also plan to host my code on github (same username) (License likely will be MIT license). I will sufficiently give you credits including your name in README as well as link to your repository that helped immensely in SSL portion of writing my code. Let me know if this is okay or not.

Yes you can include my name in the README.
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

Thanks @Mandar Joshi

Here is the URL for Github with the code and credits

https://github.com/enthusiasticgeek/gstreamer-rtsp-ssl-example



--
Sent from: http://gstreamer-devel.966125.n4.nabble.com/
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel