diff --git a/subprojects/gst-plugins-bad/ext/dtls/gstdtlscertificate.c b/subprojects/gst-plugins-bad/ext/dtls/gstdtlscertificate.c
index d7411c8f4c52f60317121955ad01e24ceb4f677b..9b31464b297c0aa3d390768296d09d7d83341919 100644
--- a/subprojects/gst-plugins-bad/ext/dtls/gstdtlscertificate.c
+++ b/subprojects/gst-plugins-bad/ext/dtls/gstdtlscertificate.c
@@ -221,14 +221,24 @@ init_generated (GstDtlsCertificate * self)
 #if OPENSSL_VERSION_NUMBER < 0x10100001L
   rsa = RSA_generate_key (2048, RSA_F4, NULL, NULL);
 #else
+  /*
+   * OpenSSL 3.0 deprecated all low-level APIs, so we need to rewrite this code
+   * to get rid of the warnings. The porting guide explicitly recommends
+   * disabling the warnings if this is not feasible, so let's do that for now:
+   * https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_to_OpenSSL_3.0_from_OpenSSL_1.1.1
+   */
+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
   rsa = RSA_new ();
+  G_GNUC_END_IGNORE_DEPRECATIONS;
   if (rsa != NULL) {
     BIGNUM *e = BN_new ();
+    G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
     if (e == NULL || !BN_set_word (e, RSA_F4)
         || !RSA_generate_key_ex (rsa, 2048, e, NULL)) {
       RSA_free (rsa);
       rsa = NULL;
     }
+    G_GNUC_END_IGNORE_DEPRECATIONS;
     if (e)
       BN_free (e);
   }
@@ -236,16 +246,20 @@ init_generated (GstDtlsCertificate * self)
 
   if (!rsa) {
     GST_WARNING_OBJECT (self, "failed to generate RSA");
+    G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
     EVP_PKEY_free (priv->private_key);
+    G_GNUC_END_IGNORE_DEPRECATIONS;
     priv->private_key = NULL;
     X509_free (priv->x509);
     priv->x509 = NULL;
     return;
   }
 
+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
   if (!EVP_PKEY_assign_RSA (priv->private_key, rsa)) {
     GST_WARNING_OBJECT (self, "failed to assign RSA");
     RSA_free (rsa);
+    G_GNUC_END_IGNORE_DEPRECATIONS;
     rsa = NULL;
     EVP_PKEY_free (priv->private_key);
     priv->private_key = NULL;
@@ -259,7 +273,9 @@ init_generated (GstDtlsCertificate * self)
 
   /* Set a random 64 bit integer as serial number */
   serial_number = BN_new ();
+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
   BN_pseudo_rand (serial_number, 64, 0, 0);
+  G_GNUC_END_IGNORE_DEPRECATIONS;
   asn1_serial_number = X509_get_serialNumber (priv->x509);
   BN_to_ASN1_INTEGER (serial_number, asn1_serial_number);
   BN_free (serial_number);
diff --git a/subprojects/gst-plugins-bad/ext/sctp/usrsctp/meson.build b/subprojects/gst-plugins-bad/ext/sctp/usrsctp/meson.build
index 0869dd59fdb13d13edf7fd93b7cdd85a9d951a61..6a1ab845da95a921f657e65f24b36abb36a3a0fa 100644
--- a/subprojects/gst-plugins-bad/ext/sctp/usrsctp/meson.build
+++ b/subprojects/gst-plugins-bad/ext/sctp/usrsctp/meson.build
@@ -31,7 +31,6 @@ else
         '-Wno-missing-declarations',
         '-Wno-old-style-definition',
         '-Wno-redundant-decls',
-        '-Wno-error',
     ])
 endif
 
@@ -169,6 +168,7 @@ usrsctp_static = static_library('usrsctp-static', sources,
     c_args: compile_args,
     dependencies: dependencies,
     include_directories: include_dirs,
+    override_options: ['werror=false'],
     install: false)
 
 # Declare dependency
diff --git a/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c b/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c
index 2e421c8e97465c7c269960061f869dcb7650bb1c..67df9a6b183552aec277004c95a978e6d0adee3b 100644
--- a/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c
+++ b/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c
@@ -84,6 +84,22 @@ gst_rtmp_location_handler_default_init (GstRtmpLocationHandlerInterface * iface)
   g_object_interface_install_property (iface, g_param_spec_uint ("timeout",
           "Timeout", "RTMP timeout in seconds", 0, G_MAXUINT, DEFAULT_TIMEOUT,
           G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
+  /**
+   * GstRtmpLocationHandler::tls-validation-flags:
+   *
+   * TLS certificate validation flags used to validate server
+   * certificate.
+   *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   */
   g_object_interface_install_property (iface,
       g_param_spec_flags ("tls-validation-flags", "TLS validation flags",
           "TLS validation flags to use", G_TYPE_TLS_CERTIFICATE_FLAGS,
diff --git a/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c b/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c
index 2a20b5b742a2ff4549722993beb3d5bba37321ec..f743637a64014dc1e01434196db1f96fad00270f 100644
--- a/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c
+++ b/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c
@@ -426,8 +426,10 @@ socket_connect (GTask * task)
       GST_DEBUG ("Configuring TLS, validation flags 0x%02x",
           data->location.tls_flags);
       g_socket_client_set_tls (socket_client, TRUE);
+      G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
       g_socket_client_set_tls_validation_flags (socket_client,
           data->location.tls_flags);
+      G_GNUC_END_IGNORE_DEPRECATIONS;
       break;
 
     default:
diff --git a/subprojects/gst-plugins-bad/sys/qsv/libmfx/meson.build b/subprojects/gst-plugins-bad/sys/qsv/libmfx/meson.build
index fcb11f3bf80914eda9101860b32ca47d5c06a112..1b54be6cdbfc4fddf25312961540d277ccfbeeb1 100644
--- a/subprojects/gst-plugins-bad/sys/qsv/libmfx/meson.build
+++ b/subprojects/gst-plugins-bad/sys/qsv/libmfx/meson.build
@@ -81,7 +81,8 @@ libmfx_static = static_library('libmfx-static',
   c_args : libmfx_extra_args,
   cpp_args : libmfx_extra_args,
   dependencies : libmfx_extra_deps,
-  include_directories : libmfx_incl
+  include_directories : libmfx_incl,
+  override_options: ['werror=false'],
 )
 
 libmfx_internal_dep = declare_dependency(
diff --git a/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c b/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c
index 42bd4101a74db414e4c4b8c88756db638cf6d3c3..1dfeed1c2390791c8726e45861f5511b3351050c 100644
--- a/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c
@@ -643,6 +643,15 @@ gst_rtsp_connection_get_tls (GstRTSPConnection * conn, GError ** error)
  * Sets the TLS validation flags to be used to verify the peer
  * certificate when a TLS connection is established.
  *
+ * GLib guarantees that if certificate verification fails, at least one error
+ * will be set, but it does not guarantee that all possible errors will be
+ * set. Accordingly, you may not safely decide to ignore any particular type
+ * of error.
+ *
+ * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+ * you want to allow expired certificates, because this could potentially be
+ * the only error flag set even if other problems exist with the certificate.
+ *
  * Returns: TRUE if the validation flags are set correctly, or FALSE if
  * @conn is NULL or is not a TLS connection.
  *
@@ -657,8 +666,10 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
   g_return_val_if_fail (conn != NULL, FALSE);
 
   res = g_socket_client_get_tls (conn->client);
+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
   if (res)
     g_socket_client_set_tls_validation_flags (conn->client, flags);
+  G_GNUC_END_IGNORE_DEPRECATIONS;
 
   return res;
 }
@@ -670,7 +681,16 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
  * Gets the TLS validation flags used to verify the peer certificate
  * when a TLS connection is established.
  *
- * Returns: the validationg flags.
+ * GLib guarantees that if certificate verification fails, at least one error
+ * will be set, but it does not guarantee that all possible errors will be
+ * set. Accordingly, you may not safely decide to ignore any particular type
+ * of error.
+ *
+ * For example, it would be incorrect to ignore %G_TLS_CERTIFICATE_EXPIRED if
+ * you want to allow expired certificates, because this could potentially be
+ * the only error flag set even if other problems exist with the certificate.
+ *
+ * Returns: the validation flags.
  *
  * Since: 1.2.1
  */
@@ -679,7 +699,9 @@ gst_rtsp_connection_get_tls_validation_flags (GstRTSPConnection * conn)
 {
   g_return_val_if_fail (conn != NULL, 0);
 
+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
   return g_socket_client_get_tls_validation_flags (conn->client);
+  G_GNUC_END_IGNORE_DEPRECATIONS;
 }
 
 /**
diff --git a/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c b/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c
index e41c7b7f3f6bed6afe5d05cdcae2f05ca0d3d82e..ca95536471e5e9619434e73043638654927116f6 100644
--- a/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c
+++ b/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c
@@ -812,6 +812,16 @@ gst_rtspsrc_class_init (GstRTSPSrcClass * klass)
    * TLS certificate validation flags used to validate server
    * certificate.
    *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   *
    * Since: 1.2.1
    */
   g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
diff --git a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c
index bb3953c5edc20d3ce0dd44d6348a0ea3e475ce9f..0c24542d04211b22fa817608556cb981234c080a 100644
--- a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c
+++ b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c
@@ -666,6 +666,16 @@ gst_rtsp_client_sink_class_init (GstRTSPClientSinkClass * klass)
    * TLS certificate validation flags used to validate server
    * certificate.
    *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   *
    */
   g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
       g_param_spec_flags ("tls-validation-flags", "TLS validation flags",