souphttpsrc / libsoup3: need better error reporting for invalid SSL certificate
TLDR
With souphttpsrc / libsoup3, it's not possible, for the caller, to know when there's a SSL error (ie. invalid certificate).
Long story
With souphttpsrc / libsoup2, it's possible for user to know about SSL errors. It's not exactly straightforward, but doable, here's how I do it:
void on_bus_message_error(GstBus *bus, GstMessage *msg, gpointer user_data) {
GError *err;
gst_message_parse_error(msg, &err, NULL);
if (g_error_matches(err, GST_RESOURCE_ERROR, GST_RESOURCE_ERROR_OPEN_READ)) {
const GstStructure *details = NULL;
gst_message_parse_error_details(msg, &details);
if (gst_structure_has_field_typed(details, "http-status-code", G_TYPE_UINT)) {
guint code = 0;
gst_structure_get_uint(details, "http-status-code", &code);
if (code == SOUP_STATUS_SSL_FAILED) {
// notify user that the certificate is not valid
}
}
}
}
However, with souphttpsrc / libsoup3, all I can get is this:
void on_bus_message_error(GstBus *bus, GstMessage *msg, gpointer user_data) {
GError *err;
gst_message_parse_error(msg, &err, NULL);
if (g_error_matches(err, GST_STREAM_ERROR, GST_STREAM_ERROR_FAILED)) {
// this might be a TLS error, or anything else
}
}
To say it with words: with libsoup3, when the certificate is not valid, it results in a GST_STREAM_ERROR_FAILED
error. The error message is Internal data stream error
. If I do gst_message_parse_error_details
, all I get is a field flow-return=(int)-5
. There is absolutely no way to know that it's a SSL error.
Working example
$ STREAM=https://am981.ddns.net:9005/stream.ogg
$ gst-launch-1.0 souphttpsrc location="${STREAM:?}" ! decodebin ! autoaudiosink
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
Got context from element 'souphttpsrc0': gst.soup.session=context, session=(GstSoupSession)NULL;
ERROR: from element /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0: Internal data stream error.
Additional debug info:
../libs/gst/base/gstbasesrc.c(3132): gst_base_src_loop (): /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0:
streaming stopped, reason error (-5)
ERROR: pipeline doesn't want to preroll.
ERROR: from element /GstPipeline:pipeline0/GstDecodeBin:decodebin0/GstTypeFindElement:typefind: Stream doesn't contain enough data.
Setting pipeline to NULL ...
Additional debug info:
../plugins/elements/gsttypefindelement.c(1012): gst_type_find_element_chain_do_typefinding (): /GstPipeline:pipeline0/GstDecodeBin:decodebin0/GstTypeFindElement:typefind:
Can't typefind stream
ERROR: pipeline doesn't want to preroll.
Freeing pipeline ...
$ gst-launch-1.0 souphttpsrc location="${STREAM:?}" ssl-strict=false ! decodebin ! autoaudiosink
.
..
... it works, since we used ssl-strict=false ...
..
.
Discussion
Looking at the changes in libsoup3 and souphttpsrc: libsoup3 reworked how SSL errors are reported / handled. souphttpsrc adjusted accordingly, but in the process, it also stopped reporting a useful error. Basically, reporting for those errors was lost: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/ext/soup/gstsouphttpsrc.c#L1616-1653
I think it shouldn't be too hard to re-establish at least the SSL reporting error, similar to how it used to be.
I can submit a patch. Anyone interested in reviewing it?
Thanks!