rtsp+rtmp: Forward warning added to tls-validation-flags to our users

With the 2.72 release, glib-networking developers have decided that
TLS certificate validation cannot be implemented correctly by them, so
they've deprecated it.

In a nutshell: a cert can have several validation errors, but there
are no guarantees that the TLS backend will return all those errors,
and things are made even more complicated by the fact that the list of
errors might refer to certs that are added for backwards-compat and
won't actually be used by the TLS library.

Our best option is to ignore the deprecation and pass the warning onto
users so they can make an appropriate security decision regarding
this.

We can't deprecate the tls-validation-flags property because it is
very useful when connecting to RTSP cameras that will never get
updates to fix certificate errors.

Relevant upstream merge requests / issues:

https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2214

https://gitlab.gnome.org/GNOME/glib-networking/-/issues/179

https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/193

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2494>
This commit is contained in:
Nirbheek Chauhan 2022-05-25 18:40:30 +05:30 committed by GStreamer Marge Bot
parent 11ecda9d73
commit 5da9f62313
5 changed files with 61 additions and 1 deletions

View file

@ -84,6 +84,22 @@ gst_rtmp_location_handler_default_init (GstRtmpLocationHandlerInterface * iface)
g_object_interface_install_property (iface, g_param_spec_uint ("timeout", g_object_interface_install_property (iface, g_param_spec_uint ("timeout",
"Timeout", "RTMP timeout in seconds", 0, G_MAXUINT, DEFAULT_TIMEOUT, "Timeout", "RTMP timeout in seconds", 0, G_MAXUINT, DEFAULT_TIMEOUT,
G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS)); G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
/**
* GstRtmpLocationHandler::tls-validation-flags:
*
* TLS certificate validation flags used to validate server
* certificate.
*
* GLib guarantees that if certificate verification fails, at least one
* error will be set, but it does not guarantee that all possible errors
* will be set. Accordingly, you may not safely decide to ignore any
* particular type of error.
*
* For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the
* certificate.
*/
g_object_interface_install_property (iface, g_object_interface_install_property (iface,
g_param_spec_flags ("tls-validation-flags", "TLS validation flags", g_param_spec_flags ("tls-validation-flags", "TLS validation flags",
"TLS validation flags to use", G_TYPE_TLS_CERTIFICATE_FLAGS, "TLS validation flags to use", G_TYPE_TLS_CERTIFICATE_FLAGS,

View file

@ -426,8 +426,10 @@ socket_connect (GTask * task)
GST_DEBUG ("Configuring TLS, validation flags 0x%02x", GST_DEBUG ("Configuring TLS, validation flags 0x%02x",
data->location.tls_flags); data->location.tls_flags);
g_socket_client_set_tls (socket_client, TRUE); g_socket_client_set_tls (socket_client, TRUE);
G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
g_socket_client_set_tls_validation_flags (socket_client, g_socket_client_set_tls_validation_flags (socket_client,
data->location.tls_flags); data->location.tls_flags);
G_GNUC_END_IGNORE_DEPRECATIONS;
break; break;
default: default:

View file

@ -643,6 +643,15 @@ gst_rtsp_connection_get_tls (GstRTSPConnection * conn, GError ** error)
* Sets the TLS validation flags to be used to verify the peer * Sets the TLS validation flags to be used to verify the peer
* certificate when a TLS connection is established. * certificate when a TLS connection is established.
* *
* GLib guarantees that if certificate verification fails, at least one error
* will be set, but it does not guarantee that all possible errors will be
* set. Accordingly, you may not safely decide to ignore any particular type
* of error.
*
* For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the certificate.
*
* Returns: TRUE if the validation flags are set correctly, or FALSE if * Returns: TRUE if the validation flags are set correctly, or FALSE if
* @conn is NULL or is not a TLS connection. * @conn is NULL or is not a TLS connection.
* *
@ -657,8 +666,10 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
g_return_val_if_fail (conn != NULL, FALSE); g_return_val_if_fail (conn != NULL, FALSE);
res = g_socket_client_get_tls (conn->client); res = g_socket_client_get_tls (conn->client);
G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
if (res) if (res)
g_socket_client_set_tls_validation_flags (conn->client, flags); g_socket_client_set_tls_validation_flags (conn->client, flags);
G_GNUC_END_IGNORE_DEPRECATIONS;
return res; return res;
} }
@ -670,7 +681,16 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
* Gets the TLS validation flags used to verify the peer certificate * Gets the TLS validation flags used to verify the peer certificate
* when a TLS connection is established. * when a TLS connection is established.
* *
* Returns: the validationg flags. * GLib guarantees that if certificate verification fails, at least one error
* will be set, but it does not guarantee that all possible errors will be
* set. Accordingly, you may not safely decide to ignore any particular type
* of error.
*
* For example, it would be incorrect to ignore %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the certificate.
*
* Returns: the validation flags.
* *
* Since: 1.2.1 * Since: 1.2.1
*/ */
@ -679,7 +699,9 @@ gst_rtsp_connection_get_tls_validation_flags (GstRTSPConnection * conn)
{ {
g_return_val_if_fail (conn != NULL, 0); g_return_val_if_fail (conn != NULL, 0);
G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
return g_socket_client_get_tls_validation_flags (conn->client); return g_socket_client_get_tls_validation_flags (conn->client);
G_GNUC_END_IGNORE_DEPRECATIONS;
} }
/** /**

View file

@ -812,6 +812,16 @@ gst_rtspsrc_class_init (GstRTSPSrcClass * klass)
* TLS certificate validation flags used to validate server * TLS certificate validation flags used to validate server
* certificate. * certificate.
* *
* GLib guarantees that if certificate verification fails, at least one
* error will be set, but it does not guarantee that all possible errors
* will be set. Accordingly, you may not safely decide to ignore any
* particular type of error.
*
* For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the
* certificate.
*
* Since: 1.2.1 * Since: 1.2.1
*/ */
g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS, g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,

View file

@ -666,6 +666,16 @@ gst_rtsp_client_sink_class_init (GstRTSPClientSinkClass * klass)
* TLS certificate validation flags used to validate server * TLS certificate validation flags used to validate server
* certificate. * certificate.
* *
* GLib guarantees that if certificate verification fails, at least one
* error will be set, but it does not guarantee that all possible errors
* will be set. Accordingly, you may not safely decide to ignore any
* particular type of error.
*
* For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the
* certificate.
*
*/ */
g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS, g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
g_param_spec_flags ("tls-validation-flags", "TLS validation flags", g_param_spec_flags ("tls-validation-flags", "TLS validation flags",