Playbin: SSL certificate checking

[Nirbheek Chauhan]

On Mon, Mar 21, 2022 at 5:30 AM Maksim Liauchuk via gstreamer-devel
<gstreamer-devel at lists.freedesktop.org> wrote:
> Please bear with me if that's not a good channel for asking questions.
> I use gstreamer as audio backend in my app. Playbin is easy to use and fulfills all my requirements.
> Employer's Windows laptop has self-signed root CA cert, which is installed by IT automatically. Unfortunately, gstreamer doesn't see it and fails to play streams with "Secure connection setup failed" error. I tried also to put the cert into gstreamer/1.0/msvc_x86_64/etc/ssl/certs/, but still no luck.
> Is there a way to disable strict SSL validation for Playbin? What I've seen so far is advice to switch over to souphttpsrc (https://gstreamer.freedesktop.org/documentation/soup/souphttpsrc.html?gi-language=c#souphttpsrc:ssl-strict), but that's something I'd like to avoid, as I work with both streams and local files.
> Or maybe you could help to find out where gstreamer looks for certificates?
>

Since you are using playbin, it's automatically plugging in some
element to handle the HTTP URI in your app. If you are using the
official MSI installers, it is likely souphttpsrc.

What is confusing to me is that the OpenSSL that ships with the
GStreamer installer already uses the CA cert that we ship in
gstreamer/1.0/msvc_x86_64/etc/ssl/certs (path is picked up relative to
the location of the openssl DLLs). Is it possible that your app is
picking up some other OpenSSL? Or maybe you're using some other GIO
module for glib-networking?

If you want to set some property on the HTTP source element that is
being autoplugged by playbin, you want to connect to the
deep-element-added callback on playbin (all GstBins emit that), look
for the source element being added, and set whatever properties you
want on it. If it's souphttpsrc, you can set "ssl-ca-file" or
"ssl-strict".

Cheers,
Nirbheek