RTSPS and self-signed certificates

[brian7704]

I'm using RootEncoder in my app and can stream to MediaMTX using rtsp and rtsps using Let's Encrypt certificates. However if I try to stream using rtsps to a MediaMTX server with self signed certificates I get this error in logcat

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

I understand the error and why it happens. My question is, is there a way to prompt the user about the security risk and have them choose to continue anyway, kind of like web browsers do?

I also noticed some unexpected behavior when using Let's Encrypt certificates. Everything worked as expected when I connected to rtsps://my_domain.com:8322/my_stream. Then I connected using rtsps://my_local_ip:8322/my_stream and that also worked. Maybe I'm misunderstanding something but I would have expected an error that the url's hostname doesn't match the certificate's hostname. But it seems like it's just checking the certificate issuer and possibly the expiration date.

[pedroSG94]

Hello,

Yes you can do it but currently you will need modify the library a bit to do it.

You need modify this class in this line:
https://github.com/pedroSG94/RootEncoder/blob/master/common/src/main/java/com/pedro/common/TLSSocketFactory.kt#L36

Where you need add a trustmanager like here to accept all or add your own certificate. You can use this post as guide:
https://stackoverflow.com/questions/24520833/android-sslsockets-using-self-signed-certificates
The owner show you how to accept all and the valid response allow you add a certificate.

This feature seem necessary so I will add it to the library but for now you will need import the library manually to your project

[brian7704]

Thanks for your help, I'll try to modify the library like you suggested.

[pedroSG94]

I'm currently adding a method for it. If you can wait like 30min I can give you a gradle to compile the project with the new method to support it

[brian7704]

Thank you, I'd be happy to test it when you're ready.

[pedroSG94]

This is the gradle (you are compiling the current last commit in master branch):

implementation 'com.github.pedroSG94.RootEncoder:library:f7c1abf917'

You can add your certificate like this:

rtmpCamera2.getStreamClient().addCertificates(arrayOf(AcceptAllCertificates()))

AcceptAllCertificates is a class created for me to auto accept all certificates. Load your own certificate as explained in the previous stackoverflow post is recommended:
https://stackoverflow.com/a/24520834

[brian7704]

Thanks! I will test it as soon as possible and let you know how it goes.

[brian7704]

I was able to get it to work using the gradle you gave me and the following code. I was able to connect to my MediaMTX server with a self signed cert and I got no errors. Thanks for the quick response!

try {
    Log.d(LOGTAG, getFilesDir().getAbsolutePath());
    KeyStore keyStore = KeyStore.getInstance("PKCS12");
    FileInputStream caFile = new FileInputStream(getFilesDir().getAbsolutePath() + "/my_cert.p12");
    keyStore.load(caFile, "my_password".toCharArray());

    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(keyStore);

    SSLContext sslctx = SSLContext.getInstance("TLS");
    sslctx.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());

    rtspCamera2.getStreamClient().addCertificates(trustManagerFactory.getTrustManagers());
    
} catch (Exception e) {
    Log.e(LOGTAG, e.getMessage());
}