Commit 3dde582a authored by Nirbheek Chauhan's avatar Nirbheek Chauhan 🐜
Browse files

rtsp: Forward warning added to tls-validation-flags to our users

With the 2.72 release, glib-networking developers have decided that
TLS certificate validation cannot be implemented correctly by them, so
they've deprecated it.

In a nutshell: a cert can have several validation errors, but there
are no guarantees that the TLS backend will return all those errors,
and things are made even more complicated by the fact that the list of
errors might refer to certs that are added for backwards-compat and
won't actually be used by the TLS library.

Our best option is to ignore the deprecation and pass the warning onto
users so they can make an appropriate security decision regarding
this.

We can't deprecate the tls-validation-flags property because it is
very useful when connecting to RTSP cameras that will never get
updates to fix certificate errors.

Relevant upstream merge requests / issues:

https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2214

https://gitlab.gnome.org/GNOME/glib-networking/-/issues/179

https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/193
parent 275e38ba
Pipeline #595638 waiting for manual action with stages
in 54 seconds
......@@ -627,6 +627,15 @@ gst_rtsp_connection_get_tls (GstRTSPConnection * conn, GError ** error)
* Sets the TLS validation flags to be used to verify the peer
* certificate when a TLS connection is established.
*
* GLib guarantees that if certificate verification fails, at least one error
* will be set, but it does not guarantee that all possible errors will be
* set. Accordingly, you may not safely decide to ignore any particular type
* of error.
*
* For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the certificate.
*
* Returns: TRUE if the validation flags are set correctly, or FALSE if
* @conn is NULL or is not a TLS connection.
*
......@@ -641,8 +650,10 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
g_return_val_if_fail (conn != NULL, FALSE);
res = g_socket_client_get_tls (conn->client);
G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
if (res)
g_socket_client_set_tls_validation_flags (conn->client, flags);
G_GNUC_END_IGNORE_DEPRECATIONS;
return res;
}
......@@ -654,7 +665,16 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
* Gets the TLS validation flags used to verify the peer certificate
* when a TLS connection is established.
*
* Returns: the validationg flags.
* GLib guarantees that if certificate verification fails, at least one error
* will be set, but it does not guarantee that all possible errors will be
* set. Accordingly, you may not safely decide to ignore any particular type
* of error.
*
* For example, it would be incorrect to ignore %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the certificate.
*
* Returns: the validation flags.
*
* Since: 1.2.1
*/
......@@ -663,7 +683,9 @@ gst_rtsp_connection_get_tls_validation_flags (GstRTSPConnection * conn)
{
g_return_val_if_fail (conn != NULL, 0);
G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
return g_socket_client_get_tls_validation_flags (conn->client);
G_GNUC_END_IGNORE_DEPRECATIONS;
}
/**
......
......@@ -812,6 +812,16 @@ gst_rtspsrc_class_init (GstRTSPSrcClass * klass)
* TLS certificate validation flags used to validate server
* certificate.
*
* GLib guarantees that if certificate verification fails, at least one
* error will be set, but it does not guarantee that all possible errors
* will be set. Accordingly, you may not safely decide to ignore any
* particular type of error.
*
* For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the
* certificate.
*
* Since: 1.2.1
*/
g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
......
......@@ -666,6 +666,16 @@ gst_rtsp_client_sink_class_init (GstRTSPClientSinkClass * klass)
* TLS certificate validation flags used to validate server
* certificate.
*
* GLib guarantees that if certificate verification fails, at least one
* error will be set, but it does not guarantee that all possible errors
* will be set. Accordingly, you may not safely decide to ignore any
* particular type of error.
*
* For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
* you want to allow expired certificates, because this could potentially be
* the only error flag set even if other problems exist with the
* certificate.
*
*/
g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
g_param_spec_flags ("tls-validation-flags", "TLS validation flags",
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment