[Live-devel] RTSPS and PKI

Ross Finlayson finlayson at live555.com
Mon Jul 21 14:34:58 PDT 2025 


> On Jul 21, 2025, at 9:03 PM, Warren Young <warren at etr-usa.com> wrote:
> 
>> our RTSP server code takes (in a call to “setTLSState()”) two filename parameters
> 
> 
> …neither of which is the CA’s public cert, which the underlying TLS implementation — OpenSSL? haven’t looked — must get from somewhere.

I’m not at all convinced by this.  If you, as a server implementor, don’t have permission to to access the proper (non-self-signed) certificate file that your server needs to implement TLS, then you'll need to:
	1/ Change the permission of the certificate file so your server can read it, or
	2/ Run your server at a higher privilege level that allows it to read the certificate file.  (If you’re concerned about this, then run the server in a sandboxed VM, or on its own computer; remember that the LIVE555 code is intended to be used in embedded systems), or
	3/ Use a different operating system where you have permission.


> If no other RTSPS client can apply a client-side cert but yours, that isn’t a breakage in the protocol, it’s a complete implementation of the existing specs. If no servers but yours will verify a client certificate, ditto.

You’re missing the point here.  I *don’t want* a situation where my client implementation will work only with my server implementation.  I want there to be interoperability among multiple implementations.


>>> This is how those corporate IT snooping boxes work: they require the clients to have the middlebox’s CA cert installed, allowing it to decrypt the TLS for inspection while proxying it.
>> 
>> You say that like it’s a good thing :-)  I would very much like not to make this possible.
> 
> Client-side certs are one way to frustrate the snoopers.

Now you’re just being silly.  First you note that client-side certificates can be used to implement snooping.  Then you say that client-side certificates can be used to prevent snooping.

Perhaps both of these are true.  But we won’t get to find out, because at least right now, I won’t be implementing client-side certificates in our RTSP code.


Ross Finlayson
Live Networks, Inc.
http://www.live555.com/

More information about the live-devel mailing list