GstRtspSink Stream Encryption: Secure Video Streaming Guide

From RidgeRun Developer Wiki

Follow Us On Twitter LinkedIn Email Share this page



Previous: Basic_Authentication Index Next: Independent_Stream_Control


GstRtspSink
Getting the code
Evaluating GstRtspSink
Building the Plug-In
Basic usage
Multicast
RTSP over HTTP Tunneling
Basic Authentication
Stream Encryption
Independent Stream Control
Simple Examples
Advanced examples
C Examples
Performance
Client Applications
Legacy GstRtspSink
Contact Us




GstRtspSink supports encrypted streaming when you provide a PEM certificate and enable authenticated access. This page explains the required properties, what the certificate file is used for, and where encryption fits in a secure deployment.


What stream encryption protects

Stream encryption reduces the risk of media interception on the network. It is useful when the stream crosses shared or untrusted segments and when access control alone is not enough.

Required properties

Use:

  • pem-certificate to provide the certificate file
  • auth to define allowed users
To enable stream encryption the <b>pem-certificate</b> property must be used along with the <b>auth</b> property.

A PEM certificate file looks like the following:

cert.pem: 

-----BEGIN CERTIFICATE-----
MIICsDCCAZgCCQCbxs+PVvdalDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9j
ci5yaWRnZXJ1bi5jb20wHhcNMjIwNDI5MjM0MzA1WhcNMjMwNDI5MjM0MzA1WjAa
MRgwFgYDVQQDDA9jci5yaWRnZXJ1bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
...
qlxGLNhKaOdV34nR4m507NRQuEMH5xknEdz1b/Z8xt/XO+5lPkJwLBzYCZ7mM+NR
Aja//K6NNxScVqKYB3xovffJ2i9/K7FMkqHwJRz0lbi71TEqA9CghbSef7ujOQL7
um1o4xkZb1S9Pqt5pTfQbgirOmw=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDNEg7CRa8V91gW
W3+udCcRe4oCOGXANc9RB15d0lXvoQJK7oZ12bb2tzIsy9IIdrvDbhH8YwqWtOd6
2QkbFPJ9zmXNqOUSTF/XRIUYqU7sDYwNA86n+HiRTRrePY7iJch5yxq82zcPSr7i
...
PIGk7eUN+b9Td/UnHlNh9nmQ3Jfd3HxsvW4yBQ5UCB0CoWuaSvPLcWB2QpYcco8w
udtwBixHV2kB+SWkv2x+QTbUifY8E/Ck+naDIV8lHVKV9l2NVcHeiEsWTW/oe+5I
vv6Y2gHykL3rsWiRecoJBh6jDw==
-----END PRIVATE KEY-----

The contents of the file should be serialized (the line breaks should be removed) for rtspsink. The pem-certificate can then be used as: 

pem-certificate="-----BEGIN CERTIFICATE-----MIICsDC...girOmw=-----END CERTIFICATE----------BEGIN PRIVATE KEY-----
MIIEvw...JBh6jDw==-----END PRIVATE KEY-----"

More conveniently, if the property will be set on gst-launch-1.0 and read from a file: 

pem-certificate="$(cat cert.pem | tr -d '\n')"

Generating a PEM Certificate

This section describes an example of how to generate a PEM certificate server.pem that can be used to encrypt the RTP stream from the server to the clients, which will be valid for 365 days. 

sudo apt install openssl

# Generate a private key and a certificate
openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out server.crt -keyout server.key

# Combine them in a PEM file
cat server.crt server.key > server.pem

# This is the file you need
cat server.pem

Please note that we recommend getting a certificate signed by a well-known Certificate Authority and following usual extra security measures if the stream will be open to the general public.

Server-side Example

The following pipeline streams an encrypted videotestsrc using the TLS certificate found in server.pem: 

gst-launch-1.0 videotestsrc is-live=true ! x264enc key-int-max=30 speed-preset=ultrafast tune=zerolatency ! video/x-h264, mapping=/encrypted_test ! rtspsink service=8554 auth=user:pass pem-certificate="$(cat server.pem | tr -d '\n')"

Again, note the mandatory use of auth when using encryption.


Client-side Examples

To connect via rtspsrc you must provide the username and password directly into the URI and use rtsps as the protocol: 

SERVER_IP=localhost
PORT=8554
MAPPING=encrypted_test
USER=user
PASSWORD=pass
gst-launch-1.0 rtspsrc location="rtsps://${USER}:${PASSWORD}@${SERVER_IP}:${PORT}/${MAPPING}" tls-validation-flags=generic-error ! rtph264depay ! decodebin ! autovideosink

You can also use the following pipeline as alternative. 

SERVER_IP=localhost
PORT=8554
MAPPING=encrypted_test
USER=user
PASSWORD=pass
gst-launch-1.0 rtspsrc location="rtsps://${USER}:${PASSWORD}@${SERVER_IP}:${PORT}/${MAPPING}" tls-validation-flags=generic-error ! rtph264depay ! h264parse !  avdec_h264 ! videoconvert  !  autovideosink

Security guidance

  • Combine encryption with authentication
  • Use strong credentials
  • Test client trust-store behavior early
  • Document certificate renewal steps for production deployments

Summary

Use stream encryption when the stream crosses networks where confidentiality matters. Combine it with authentication and document the client trust model clearly.


Problems running the examples on this page? See GStreamer Debugging for practical debugging steps.

Related pages

FAQ

What file format is used for the certificate?
Use a PEM certificate file.
Should I use encryption without authentication?
No, both encryption and authentication must be used.



Previous: Basic_Authentication Index Next: Independent_Stream_Control


Retrieved from "https://developer.ridgerun.com/wiki/index.php?title=GstRtspSink_-_Stream_Encryption&oldid=78294"