mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-11-26 19:51:11 +00:00
Code Issues 1 Projects Releases Wiki Activity

souphttpsrc: Add properties for selecting SSL/TLS certificate checking

Browse source 
And by default properly check certificates against the system's CA
certificates. Everything else is not a good default at all.
This commit is contained in:
Sebastian Dröge 2014-03-12 15:32:55 +01:00
parent 2a362c6fb1
commit 5d06735dbd
2 changed files with 80 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
ext/soup/gstsouphttpsrc.c
View file

@ -109,7 +109,10 @@ enum
PROP_EXTRA_HEADERS,
PROP_SOUP_LOG_LEVEL,
PROP_COMPRESS,
PROP_KEEP_ALIVE
PROP_KEEP_ALIVE,
PROP_SSL_STRICT,
PROP_SSL_CA_FILE,
PROP_SSL_USE_SYSTEM_CA_FILE
};
#define DEFAULT_USER_AGENT "GStreamer souphttpsrc "
@ -117,6 +120,9 @@ enum
#define DEFAULT_SOUP_LOG_LEVEL SOUP_LOGGER_LOG_HEADERS
#define DEFAULT_COMPRESS FALSE
#define DEFAULT_KEEP_ALIVE FALSE
#define DEFAULT_SSL_STRICT TRUE
#define DEFAULT_SSL_CA_FILE NULL
#define DEFAULT_SSL_USE_SYSTEM_CA_FILE TRUE
static void gst_soup_http_src_uri_handler_init (gpointer g_iface,
gpointer iface_data);
@ -298,6 +304,45 @@ gst_soup_http_src_class_init (GstSoupHTTPSrcClass * klass)
"Use HTTP persistent connections", DEFAULT_KEEP_ALIVE,
G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
/**
* GstSoupHTTPSrc::ssl-strict:
*
* If set to %TRUE, souphttpsrc will reject all SSL certificates that
* are considered invalid.
*
* Since: 1.4
*/
g_object_class_install_property (gobject_class, PROP_SSL_STRICT,
g_param_spec_boolean ("ssl-strict", "SSL Strict",
"Strict SSL certificate checking", DEFAULT_SSL_STRICT,
G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
/**
* GstSoupHTTPSrc::ssl-ca-file:
*
* A SSL anchor CA file that should be used for checking certificates
* instead of the system CA file.
*
* Since: 1.4
*/
g_object_class_install_property (gobject_class, PROP_SSL_CA_FILE,
g_param_spec_string ("ssl-ca-file", "SSL CA File",
"Location of a SSL anchor CA file to use", DEFAULT_SSL_CA_FILE,
G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
/**
* GstSoupHTTPSrc::ssl-use-system-ca-file:
*
* If set to %TRUE, souphttpsrc will use the system's CA file for
* checking certificates.
*
* Since: 1.4
*/
g_object_class_install_property (gobject_class, PROP_SSL_USE_SYSTEM_CA_FILE,
g_param_spec_boolean ("ssl-use-system-ca-file", "Use System CA File",
"Use system CA file", DEFAULT_SSL_USE_SYSTEM_CA_FILE,
G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
gst_element_class_add_pad_template (gstelement_class,
gst_static_pad_template_get (&srctemplate));
@ -372,6 +417,8 @@ gst_soup_http_src_init (GstSoupHTTPSrc * src)
src->session = NULL;
src->msg = NULL;
src->log_level = DEFAULT_SOUP_LOG_LEVEL;
src->ssl_strict = DEFAULT_SSL_STRICT;
src->ssl_use_system_ca_file = DEFAULT_SSL_USE_SYSTEM_CA_FILE;
proxy = g_getenv ("http_proxy");
if (proxy && !gst_soup_http_src_set_proxy (src, proxy)) {
GST_WARNING_OBJECT (src,
@ -424,6 +471,8 @@ gst_soup_http_src_finalize (GObject * gobject)
src->extra_headers = NULL;
}
g_free (src->ssl_ca_file);
G_OBJECT_CLASS (parent_class)->finalize (gobject);
}
@ -525,6 +574,17 @@ gst_soup_http_src_set_property (GObject * object, guint prop_id,
case PROP_KEEP_ALIVE:
src->keep_alive = g_value_get_boolean (value);
break;
case PROP_SSL_STRICT:
src->ssl_strict = g_value_get_boolean (value);
break;
case PROP_SSL_CA_FILE:
if (src->ssl_ca_file)
g_free (src->ssl_ca_file);
src->ssl_ca_file = g_value_dup_string (value);
break;
case PROP_SSL_USE_SYSTEM_CA_FILE:
src->ssl_use_system_ca_file = g_value_get_boolean (value);
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@ -595,6 +655,15 @@ gst_soup_http_src_get_property (GObject * object, guint prop_id,
case PROP_KEEP_ALIVE:
g_value_set_boolean (value, src->keep_alive);
break;
case PROP_SSL_STRICT:
g_value_set_boolean (value, src->ssl_strict);
break;
case PROP_SSL_CA_FILE:
g_value_set_string (value, src->ssl_ca_file);
break;
case PROP_SSL_USE_SYSTEM_CA_FILE:
g_value_set_boolean (value, src->ssl_strict);
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@ -776,6 +845,7 @@ gst_soup_http_src_session_open (GstSoupHTTPSrc * src)
soup_session_async_new_with_options (SOUP_SESSION_ASYNC_CONTEXT,
src->context, SOUP_SESSION_USER_AGENT, src->user_agent,
SOUP_SESSION_TIMEOUT, src->timeout,
SOUP_SESSION_SSL_STRICT, src->ssl_strict,
SOUP_SESSION_ADD_FEATURE_BY_TYPE, SOUP_TYPE_PROXY_RESOLVER_DEFAULT,
NULL);
} else {
@ -783,6 +853,7 @@ gst_soup_http_src_session_open (GstSoupHTTPSrc * src)
soup_session_async_new_with_options (SOUP_SESSION_ASYNC_CONTEXT,
src->context, SOUP_SESSION_PROXY_URI, src->proxy,
SOUP_SESSION_TIMEOUT, src->timeout,
SOUP_SESSION_SSL_STRICT, src->ssl_strict,
SOUP_SESSION_USER_AGENT, src->user_agent, NULL);
}
@ -797,6 +868,11 @@ gst_soup_http_src_session_open (GstSoupHTTPSrc * src)
/* Set up logging */
gst_soup_util_log_setup (src->session, src->log_level, GST_ELEMENT (src));
if (src->ssl_ca_file)
g_object_set (src->session, "ssl-ca-file", src->ssl_ca_file, NULL);
else
g_object_set (src->session, "ssl-use-system-ca-file",
src->ssl_use_system_ca_file, NULL);
} else {
GST_DEBUG_OBJECT (src, "Re-using session");
}

3
ext/soup/gstsouphttpsrc.h
View file

@ -84,6 +84,9 @@ struct _GstSoupHTTPSrc {
* handled as an error or EOS when the content
* size is unknown */
gboolean keep_alive; /* Use keep-alive sessions */
gboolean ssl_strict;
gchar *ssl_ca_file;
gboolean ssl_use_system_ca_file;
/* Shoutcast/icecast metadata extraction handling. */
gboolean iradio_mode;