> On Jul 21, 2025, at 9:03 PM, Warren Young <[email protected]> wrote:
>
>> our RTSP server code takes (in a call to “setTLSState()”) two filename
>> parameters
>
>
> …neither of which is the CA’s public cert, which the underlying TLS
> implementation — OpenSSL? haven’t looked — must get from somewhere.
I’m not at all convinced by this. If you, as a server implementor, don’t have
permission to to access the proper (non-self-signed) certificate file that your
server needs to implement TLS, then you'll need to:
1/ Change the permission of the certificate file so your server can
read it, or
2/ Run your server at a higher privilege level that allows it to read
the certificate file. (If you’re concerned about this, then run the server in
a sandboxed VM, or on its own computer; remember that the LIVE555 code is
intended to be used in embedded systems), or
3/ Use a different operating system where you have permission.
> If no other RTSPS client can apply a client-side cert but yours, that isn’t a
> breakage in the protocol, it’s a complete implementation of the existing
> specs. If no servers but yours will verify a client certificate, ditto.
You’re missing the point here. I *don’t want* a situation where my client
implementation will work only with my server implementation. I want there to
be interoperability among multiple implementations.
>>> This is how those corporate IT snooping boxes work: they require the
>>> clients to have the middlebox’s CA cert installed, allowing it to decrypt
>>> the TLS for inspection while proxying it.
>>
>> You say that like it’s a good thing :-) I would very much like not to make
>> this possible.
>
> Client-side certs are one way to frustrate the snoopers.
Now you’re just being silly. First you note that client-side certificates can
be used to implement snooping. Then you say that client-side certificates can
be used to prevent snooping.
Perhaps both of these are true. But we won’t get to find out, because at least
right now, I won’t be implementing client-side certificates in our RTSP code.
Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
_______________________________________________
live-devel mailing list
[email protected]
http://lists.live555.com/mailman/listinfo/live-devel
