GstRtspSink - Stream Encryption
The page describes how to use encrypt the RTP streams using TLS certificates
Configuring Encryption
GstRtspSink can be configured to encrypt the outgoing RTP streams to decrease the risk of unwanted viewers snooping on the network. To do so, TLS certificates in the PEM format are used. You can provide a certificate to encrypt the streams using the pem-certificate and the auth properties.
To enable stream encryption the <b>pem-certificate</b> property must be used along with the <b>auth</b> property.
A PEM certificate file looks like the following:
cert.pem:
-----BEGIN CERTIFICATE----- MIICsDCCAZgCCQCbxs+PVvdalDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9j ci5yaWRnZXJ1bi5jb20wHhcNMjIwNDI5MjM0MzA1WhcNMjMwNDI5MjM0MzA1WjAa MRgwFgYDVQQDDA9jci5yaWRnZXJ1bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB ... qlxGLNhKaOdV34nR4m507NRQuEMH5xknEdz1b/Z8xt/XO+5lPkJwLBzYCZ7mM+NR Aja//K6NNxScVqKYB3xovffJ2i9/K7FMkqHwJRz0lbi71TEqA9CghbSef7ujOQL7 um1o4xkZb1S9Pqt5pTfQbgirOmw= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDNEg7CRa8V91gW W3+udCcRe4oCOGXANc9RB15d0lXvoQJK7oZ12bb2tzIsy9IIdrvDbhH8YwqWtOd6 2QkbFPJ9zmXNqOUSTF/XRIUYqU7sDYwNA86n+HiRTRrePY7iJch5yxq82zcPSr7i ... PIGk7eUN+b9Td/UnHlNh9nmQ3Jfd3HxsvW4yBQ5UCB0CoWuaSvPLcWB2QpYcco8w udtwBixHV2kB+SWkv2x+QTbUifY8E/Ck+naDIV8lHVKV9l2NVcHeiEsWTW/oe+5I vv6Y2gHykL3rsWiRecoJBh6jDw== -----END PRIVATE KEY-----
The contents of the file should be serialized (the line breaks should be removed) before passing it to RTSP Sink. The pem-certificate can then be used as:
pem-certificate="-----BEGIN CERTIFICATE-----MIICsDC...girOmw=-----END CERTIFICATE----------BEGIN PRIVATE KEY----- MIIEvw...JBh6jDw==-----END PRIVATE KEY-----"
More conveniently, if the property will be set on gst-launch-1.0 and read from a file:
pem-certificate="$(cat cert.pem | tr -d '\n')"
The following pipeline streams an encrypted videotestsrc using the TLS certificate found in cert.pem:
gst-launch-1.0 videotestsrc is-live=true ! x264enc key-int-max=30 speed-preset=ultrafast tune=zerolatency ! video/x-h264, mapping=/stream1 ! rtspsink service=5000 auth=user:pass pem-certificate="$(cat cert.pem | tr -d '\n')"
Again, note the mandatory use of auth when using encryption.
Generating a PEM Certificate
This section describes a simple way to generate a PEM certificate named server.pem that can be used to encrypt the RTP stream from the server to the clients, which will be valid for 365 days.
sudo apt install openssl # Generate a private key and a certificate openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out server.crt -keyout server.key # Combine them in a PEM file cat server.crt server.key > server.pem # This is the file you need cat server.pem
Please note that we recommend getting a certificate signed by a well-known Certificate Authority and following usual extra security measures if the stream will be open to the general public.
Receiving the Stream
The following subsections show, as examples, how to connect to an encrypted session using the PEM certificate previously created (server.pem), from two standard clients: VLC and GStreamer. Both examples assume that GstRtspSink was started as the following:
gst-launch-1.0 videotestsrc is-live=true ! x264enc key-int-max=30 speed-preset=ultrafast tune=zerolatency ! video/x-h264, mapping=/encrypted_test ! rtspsink service=8554 auth=user:pass pem-certificate="$(cat server.pem | tr -d '\n')"
GStreamer
To connect via GstRtspSrc you provide the username and password directly into the URI and use rtsps as the protocol.
SERVER_IP=localhost
PORT=8554
MAPPING=encrypted_test
USER=user
PASSWORD=pass
gst-launch-1.0 rtspsrc location="rtsps://${USER}:${PASSWORD}@${SERVER_IP}:${PORT}/${MAPPING}" tls-validation-flags=generic-error ! rtph264depay ! decodebin ! autovideosink
You can also use the following pipeline as alternative.
SERVER_IP=localhost
PORT=8554
MAPPING=encrypted_test
USER=user
PASSWORD=pass
gst-launch-1.0 rtspsrc location="rtsps://${USER}:${PASSWORD}@${SERVER_IP}:${PORT}/${MAPPING}" tls-validation-flags=generic-error ! rtph264depay ! h264parse ! avdec_h264 ! videoconvert ! autovideosink