Playbin: SSL certificate checking
maksim_liauchuk at fastmail.fm
Mon Mar 21 22:01:22 UTC 2022
Thanks for valuable input.
I'm not 100% sure about OpenSSL, in fact I deal with Java bindings, which seem use gio-2.0 (see https://github.com/gstreamer-java/gst1-java-core/blob/master/src/org/freedesktop/gstreamer/lowlevel/GioAPI.java#L29).
Forgot to add, that I manually added that self-signed CA cert to Java cacerts. And can confirm it works because *after that* I'm able to fetch pages via HTTPS from the app. Thus I would assume native library is used for stream work.
May I ask for an advice where to look further please?
Probably not a surprise to yourself, but souphttpsrc isn't used in my setup.
ELEMENT SETUP: URIDecodeBin: [uridecodebin0]
SOURCE SETUP: BaseSrc: [source]
ELEMENT SETUP: BaseSrc: [source]
ELEMENT SETUP: Element: [typefindelement0]
ELEMENT SETUP: DecodeBin: [decodebin0]
ELEMENT SETUP: Element: [typefind]
ELEMENT SETUP: Element: [queue2-0]
ELEMENT SETUP: Element: [mpegaudioparse0]
ELEMENT SETUP: Element: [avdec_mp3-0]
ELEMENT SETUP: Element: [inputselector0]
// playbin.audio-changed event here
ELEMENT SETUP: Element: [audiotee]
ELEMENT SETUP: Bin: [abin]
ELEMENT SETUP: Bin: [aconv]
ELEMENT SETUP: BaseTransform: [resample]
ELEMENT SETUP: BaseTransform: [conv]
ELEMENT SETUP: BaseTransform: [identity]
ELEMENT SETUP: Element: [aqueue]
ELEMENT SETUP: BaseSink: [pulsesink1]
For a total newbie as myself, building custom alternative universal pipeline like above may be a dead end...
Looking forward hearing back from you.
On Mon, Mar 21, 2022, at 20:20, Nirbheek Chauhan wrote:
> On Mon, Mar 21, 2022 at 5:30 AM Maksim Liauchuk via gstreamer-devel
> <gstreamer-devel at lists.freedesktop.org> wrote:
>> Please bear with me if that's not a good channel for asking questions.
>> I use gstreamer as audio backend in my app. Playbin is easy to use and fulfills all my requirements.
>> Employer's Windows laptop has self-signed root CA cert, which is installed by IT automatically. Unfortunately, gstreamer doesn't see it and fails to play streams with "Secure connection setup failed" error. I tried also to put the cert into gstreamer/1.0/msvc_x86_64/etc/ssl/certs/, but still no luck.
>> Is there a way to disable strict SSL validation for Playbin? What I've seen so far is advice to switch over to souphttpsrc (https://gstreamer.freedesktop.org/documentation/soup/souphttpsrc.html?gi-language=c#souphttpsrc:ssl-strict), but that's something I'd like to avoid, as I work with both streams and local files.
>> Or maybe you could help to find out where gstreamer looks for certificates?
> Since you are using playbin, it's automatically plugging in some
> element to handle the HTTP URI in your app. If you are using the
> official MSI installers, it is likely souphttpsrc.
> What is confusing to me is that the OpenSSL that ships with the
> GStreamer installer already uses the CA cert that we ship in
> gstreamer/1.0/msvc_x86_64/etc/ssl/certs (path is picked up relative to
> the location of the openssl DLLs). Is it possible that your app is
> picking up some other OpenSSL? Or maybe you're using some other GIO
> module for glib-networking?
> If you want to set some property on the HTTP source element that is
> being autoplugged by playbin, you want to connect to the
> deep-element-added callback on playbin (all GstBins emit that), look
> for the source element being added, and set whatever properties you
> want on it. If it's souphttpsrc, you can set "ssl-ca-file" or
More information about the gstreamer-devel