[Live-devel] RTSPS and PKI

BENMOUSSA Yahia - Contractor yahia.benmoussa at external.thalesgroup.com
Sat Jul 19 14:59:12 PDT 2025 

Classified as: {OPEN}

Since SRTP encryption key is exchanged using TLS, we need to guarantee a maximum security to the TLS channel. We assume that if the TLS channel is trusted, so is SRTP.

The private CAs are needed because our RTSP clients don't have access permissions to  the system CA keystore. 

Moreover, it is not recommended to install private CA file in system wide CA keystore. This may be considered as security issue. Usually, the OS CA keystore  contains only the public trusted CA files. If a given application don't want to use these public CAs, it should manage its own private CAs. 

Yahia


{OPEN}

-----Message d'origine-----
De : live-devel <live-devel-bounces at us.live555.com> De la part de Ross Finlayson
Envoyé : samedi 19 juillet 2025 21:03
À : LIVE555 Streaming Media - development & use <live-devel at us.live555.com>
Objet : Re: [Live-devel] RTSPS and PKI



> On Jul 19, 2025, at 4:48 PM, BENMOUSSA Yahia - Contractor via live-devel <live-devel at us.live555.com> wrote:
> 
> We do not provide a general “TLS client”.  We provide a RTSP client, that can (optionally) use TLS to set up a RTSP connection.
> 
> A client accesses a RTSP connection using a “rtsp://“ or “rtsps://“ URL - only.  There is no provision in the RTSP protocol for a client to also use its own certificate file, in addition to the URL.
[…]
> (This is just like HTTP - a web browser uses just a URL; it doesn’t also use a certificate file.)  Allowing the client to do this would be creating a new, non-standard protocol.
> 
>> Both Firefox and Chrome HTTP browsers allow to set private CA files in their security setting :)

But that doesn't necessarily make it a good idea.

I still don’t understand why you want to do this.  There’s more going on here than just TLS.  There’s also SRTP.  If you don’t trust the RTSP server to give you a secure TLS connection, then why would you also trust it to deliver a secure SRTP stream?

Why can’t you install the certificate you want on your server(s), rather than trying to fake this in your client?  (What if some other client - not under your control - ends up accessing the server?)


Ross Finlayson
Live Networks, Inc.
http://www.live555.com/


_______________________________________________
live-devel mailing list
live-devel at lists.live555.com
http://lists.live555.com/mailman/listinfo/live-devel

More information about the live-devel mailing list