Jump to content


Photo

full ci+ support


  • Please log in to reply
342 replies to this topic

Re: full ci+ support #121 samsamsam

  • Senior Member
  • 2,024 posts

+146
Excellent

Posted 22 March 2017 - 23:01

@athoik

I wrote about HTTPS you show configuration which probably is related with AES encryption of HLS chunks - these are two different things.

 

I am talking about this:

/usr/lib/gio/modules/libgiognutls.so

 

This glib module is used as TLS backend (for HTTPS connection with glib networrking). This is used by gstreamer for HTTPS connections.

 

Regards,

SSS


Edited by samsamsam, 22 March 2017 - 23:02.


Re: full ci+ support #122 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 22 March 2017 - 23:16

My gut feeling says that vdr-portal might be the one. Or tveheadent or...

@yuri666, post a link once published.
Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: full ci+ support #123 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 22 March 2017 - 23:39

@samsamsam,

Indeed, the glib-networking package has a strong depedency on gnutls.

/opt/openpli/openpli5$ find openembedded-core/ meta-openembedded/ -type f | xargs fgrep gnutls|grep glib-net
openembedded-core/meta/recipes-core/glib-networking/glib-networking_2.48.2.bb:PACKAGECONFIG ??= "ca-certificates gnutls"
openembedded-core/meta/recipes-core/glib-networking/glib-networking_2.48.2.bb:PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls
Maybe that package is a replacement https://github.com/GNOME/glib-openssl but not sure if ready.
Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: full ci+ support #124 MastaG

  • Senior Member
  • 1,531 posts

+118
Excellent

Posted 23 March 2017 - 00:09

Thanks athoik and sss for the heads up :)

Re: full ci+ support #125 samsamsam

  • Senior Member
  • 2,024 posts

+146
Excellent

Posted 23 March 2017 - 08:59

@athoik

 

That's what I wrote about:

 


The gnutls  is much, much slower than OpenSSL. So, maybe the first step will be to change change default gnutls backend to openssl backend for gio-networking?

 

 

glib-openssl is working very well. I've been using it for some time now.

 

Regards,

SSS


Edited by samsamsam, 23 March 2017 - 09:01.


Re: full ci+ support #126 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 23 March 2017 - 20:04

For OpenPLi Next the following does the job.

1. Create folder glib-networking in meta-openpli

2. Add glib-openssl_2.50.1.bb

SUMMARY = "GLib networking for tls using openssl"
DESCRIPTION = "This is a fork of glib-networking providing only tls support using openssl. As a side point it fully supports Windows."
HOMEPAGE = "http://git.gnome.org/browse/glib-openssl/"
BUGTRACKER = "http://bugzilla.gnome.org"

LICENSE = "LGPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"

SECTION = "libs"
DEPENDS = "glib-2.0 intltool-native openssl"

SRC_URI[archive.md5sum] = "de9f89e0e7d9aa973e6edffe78b82ce8"
SRC_URI[archive.sha256sum] = "23203c8f83e9442c51aeff75959470531135eb3872b638791de6a6f7fee65a9b"

inherit gnomebase gettext upstream-version-is-even gio-module-cache

FILES_${PN} += "${libdir}/gio/modules/libgio*.so ${datadir}/dbus-1/services/"
FILES_${PN}-dev += "${libdir}/gio/modules/libgio*.la"
FILES_${PN}-staticdev += "${libdir}/gio/modules/libgio*.a"
3. Add glib-networking_2.%.bbappend

PACKAGECONFIG = "ca-certificates"
RDEPENDS_${PN} += "glib-openssl"
ALLOW_EMPTY_${PN} = "1"
4. Upgrade will remove old gnutls and will bring openssl.

# opkg upgrade
Upgrading glib-networking from 2.48.2-r0.0 to 2.48.2-r1 on root.
Upgrading glib-openssl (2.50.1) on root.
Downloading http://.../feeds/openpli-5/cortexa15hf-neon-vfpv4/glib-openssl_2.50.1-r0_cortexa15hf-neon-vfpv4.ipk.
Upgrading glib-networking (2.48.2) on root.
Downloading http://.../feeds/openpli-5/cortexa15hf-neon-vfpv4/glib-networking_2.48.2-r1_cortexa15hf-neon-vfpv4.ipk.
Removing obsolete file /usr/lib/gio/modules/libgiognutls.so.
Configuring glib-openssl.
Configuring glib-networking.
Any idea how to test before create PR?


PS. gnutls still used by curl and samba...

# opkg remove libgnutls30
No packages removed.
Collected errors:
 * print_dependents_warning: Package libgnutls30 is depended upon by packages:
 * print_dependents_warning:    libldap-2.4-2
 * print_dependents_warning:    libcurl4

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: full ci+ support #127 samsamsam

  • Senior Member
  • 2,024 posts

+146
Excellent

Posted 23 March 2017 - 20:07

@athoik

 

curl also can works with OpenSSL without problems.

 

About test you can try to play any HTTPS stream in gstreamer.



Re: full ci+ support #128 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 23 March 2017 - 20:46

@samsamsam, seems good, thanks for the info ;)

# gst-launch-1.0 souphttpsrc location=https://.../bip-bop-all.ts ssl-strict=false ! fakesink
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
^Chandling interrupt.
Interrupt: Stopping pipeline ...
Execution ended after 0:00:46.320165750
Setting pipeline to PAUSED ...
Setting pipeline to READY ...
Setting pipeline to NULL ...
Freeing pipeline ...

# strace gst-launch-1.0 souphttpsrc location=https://.../bip-bop-all.ts ssl-strict=false ! fakesink 2>&1 | grep openssl
stat64("/usr/lib/gio/modules/libgioopenssl.so", {st_mode=S_IFREG|0755, st_size=64440, ...}) = 0
stat64("/usr/lib/gio/modules/libgioopenssl.so", {st_mode=S_IFREG|0755, st_size=64440, ...}) = 0
open("/usr/lib/gio/modules/libgioopenssl.so", O_RDONLY|O_CLOEXEC) = 6
stat64("/usr/lib/gio/modules/libgioopenssl.so", {st_mode=S_IFREG|0755, st_size=64440, ...}) = 0
open("/usr/lib/gio/modules/libgioopenssl.so", O_RDONLY|O_CLOEXEC) = 6
^C
PR: https://github.com/O...e-core/pull/190
Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: full ci+ support #129 WanWizard

  • PLi® Core member
  • 70,391 posts

+1,807
Excellent

Posted 23 March 2017 - 21:23

Merged.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: full ci+ support #130 Taapat

  • PLi® Core member
  • 2,345 posts

+121
Excellent

Posted 28 March 2017 - 16:57

Merged.

 
I do not know why, but after these changes I have problems with some HTTPS streams.
After these changes I have error:
[eServiceMP3] Gstreamer error: Secure connection setup failed.: ../../../git/ext/soup/gstsouphttpsrc.c(1279): gst_soup_http_src_parse_status (): /GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstHLSDemux:hlsdemux0/GstBin:srcbin-src_0/GstSoupHTTPSrc:souphttpsrc0:
Unacceptable TLS certificate (6), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
As far as I understand that it should fix this error, but it does not work: https://github.com/O...67194562bb09925
 
If I revert this changes, this link will work without problems.


Re: full ci+ support #131 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 28 March 2017 - 17:00

Did you install ca-certificates?

PS. SSL test seem fine: https://www.ssllabs....googlevideo.com

Edited by athoik, 28 March 2017 - 17:04.

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: full ci+ support #132 Taapat

  • PLi® Core member
  • 2,345 posts

+121
Excellent

Posted 28 March 2017 - 17:02

Yes of course, they are in dependencies.



Re: full ci+ support #133 samsamsam

  • Senior Member
  • 2,024 posts

+146
Excellent

Posted 28 March 2017 - 17:06

 

Merged.

 
I do not know why, but after these changes I have problems with some HTTPS streams.
After these changes I have error:
[eServiceMP3] Gstreamer error: Secure connection setup failed.: ../../../git/ext/soup/gstsouphttpsrc.c(1279): gst_soup_http_src_parse_status (): /GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstHLSDemux:hlsdemux0/GstBin:srcbin-src_0/GstSoupHTTPSrc:souphttpsrc0:
Unacceptable TLS certificate (6), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
As far as I understand that it should fix this error, but it does not work: https://github.com/O...67194562bb09925
 
If I revert this changes, this link will work without problems.

 

 

This is temporary link, so hard to check. Can you provide static HTTPS link which is causing such problem?



Re: full ci+ support #134 Taapat

  • PLi® Core member
  • 2,345 posts

+121
Excellent

Posted 28 March 2017 - 17:12

As I wrote it only on some HTTPS streams and not on all.
Therefore, I can not give you static link, because I have not yet found it.
 
I found this link because it is a link which I usually use to tested m3u8 live stream working.
This is the Ukrainian broadcast live stream in youtube if you search in it for 112 (blue round emblem with the digits 112).
 
P.S.
And this problem exist only on gstreamer. With ffmpeg this link working.

Edited by Taapat, 28 March 2017 - 17:15.


Re: full ci+ support #135 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 28 March 2017 - 17:20

Just using that stream is enough to raise the issue with playbin.

# gst-launch-1.0 playbin uri="https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/7044
61/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo
.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expir
e=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&si
gnature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062
055194&govp=clen=606000;lmt=1490714062055194&dur=5.000"
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
ERROR: from element /GstPlayBin:playbin0/GstURIDecodeBin:uridecodebin0/GstSoupHTTPSrc:source: Secure connection setup failed.
Additional debug info:
../../../gst-plugins-good-1.8.3/ext/soup/gstsouphttpsrc.c(1578): gst_soup_http_src_parse_status (): /GstPlayBin:playbin0/GstURIDecodeBin:uridecodebin0/GstSoupHTTPSrc:source:
Unacceptable TLS certificate (6), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
ERROR: pipeline doesn't want to preroll.
Setting pipeline to NULL ...
Freeing pipeline ...
But using souphttpsrc the TLS ssl-strict works.

# gst-launch-1.0 souphttpsrc location="https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcas
t/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.go
oglevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbit
s=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms
,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1
490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000" ssl-strict=false
Setting pipeline to PAUSED ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
ERROR: from element /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0: Forbidden
Additional debug info:
../../../gst-plugins-good-1.8.3/ext/soup/gstsouphttpsrc.c(1634): gst_soup_http_src_parse_status (): /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0:
Forbidden (403), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
Execution ended after 0:00:00.586707037
Setting pipeline to PAUSED ...
Setting pipeline to READY ...
Setting pipeline to NULL ...
Freeing pipeline ...
So at least somehow reproducible.
Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: full ci+ support #136 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 28 March 2017 - 17:42

Stracing the gst-launch-1.0 there is no attempt to "open" /etc/ssl/certs/ca-certificates.crt file!


Setting manually the ssl-ca-file=/etc/ssl/certs/ca-certificates.crt verifies the certificate (and OFC strace open that file).

gst-launch-1.0 souphttpsrc location="https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcas
t/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.go
oglevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbit
s=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms
,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1
490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000" ssl-ca-file=/etc/ssl/certs/ca-certificates.crt
Setting pipeline to PAUSED ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
ERROR: from element /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0: Forbidden
Additional debug info:
../../../gst-plugins-good-1.8.3/ext/soup/gstsouphttpsrc.c(1634): gst_soup_http_src_parse_status (): /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0:
Forbidden (403), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
Execution ended after 0:00:00.503175926
Setting pipeline to PAUSED ...
Setting pipeline to READY ...
Setting pipeline to NULL ...
Freeing pipeline ...

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: full ci+ support #137 Taapat

  • PLi® Core member
  • 2,345 posts

+121
Excellent

Posted 28 March 2017 - 17:51

But why now you need setting manually the certificate file?


Edited by Taapat, 28 March 2017 - 17:51.


Re: full ci+ support #138 Taapat

  • PLi® Core member
  • 2,345 posts

+121
Excellent

Posted 28 March 2017 - 19:07

Strange if I for test use in servicemp3.cpp:
if (g_object_class_find_property(G_OBJECT_GET_CLASS(source), "ssl-ca-file") != 0)
{
g_object_set(G_OBJECT(source), "ssl-ca-file", "/etc/ssl/certs/ca-certificates.crt", NULL);
}

It also does not help.

 

It looks like the gstreamer not use these properties from the servicemp3.cpp?
But how it relates to the ssl changes, why after revert work? 


Re: full ci+ support #139 athoik

  • PLi® Core member
  • 8,458 posts

+327
Excellent

Posted 28 March 2017 - 19:51

It seems that libgiognutls.so has a reference to ca-certificates default file.
 
# strings -a /usr/lib/gio/modules/libgiognutls.so | grep ca-certificates
/etc/ssl/certs/ca-certificates.crt
# strings -a /usr/lib/gio/modules/libgioopenssl.so  | grep ca-certificates
It seems that they forgot to initialize the GTLS_SYSTEM_CA_FILE!

See: https://github.com/G...ssl.c#L187-L189


https://github.com/G...M_CA_FILE&type=

VS

https://github.com/G...M_CA_FILE&type=

Adding the following patch to glib-openssl fixes the problem...
 
diff --git a/configure.ac b/configure.ac
index d99aeb1..baa2516 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,6 +56,32 @@ AM_CONDITIONAL(HAVE_OPENSSL, [test "$with_openssl" = "yes"])
 AC_SUBST(OPENSSL_CFLAGS)
 AC_SUBST(OPENSSL_LIBS)

+if test "$with_openssl" = "yes"; then
+    AC_MSG_CHECKING([location of system Certificate Authority list])
+    AC_ARG_WITH(ca-certificates,
+               [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
+                               [path to system Certificate Authority list])])
+    if test "$with_ca_certificates" = "no"; then
+        AC_MSG_RESULT([disabled])
+    else
+        if test -z "$with_ca_certificates"; then
+           for f in /etc/pki/tls/certs/ca-bundle.crt \
+                    /etc/ssl/certs/ca-certificates.crt \
+                    /etc/ssl/ca-bundle.pem; do
+               if test -f "$f"; then
+                   with_ca_certificates="$f"
+               fi
+           done
+           if test -z "$with_ca_certificates"; then
+               AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
+           fi
+        fi
+
+        AC_MSG_RESULT($with_ca_certificates)
+        AC_DEFINE_UNQUOTED(GTLS_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list])
+    fi
+fi
+
 dnl ************************************
 dnl *** Enable lcov coverage reports ***
 dnl ************************************
And with the patch, results, are back to normal!
 
# strings -a /usr/lib/gio/modules/libgioopenssl.so  | grep ca-certificates
/etc/ssl/certs/ca-certificates.crt

# gst-launch-1.0 playbin uri="https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704
461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevid
eo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&ex
pire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,p
l&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=14907
14062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000"
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
ERROR: from element /GstPlayBin:playbin0/GstURIDecodeBin:uridecodebin0/GstSoupHTTPSrc:source: Forbidden
Additional debug info:
../../../gst-plugins-good-1.8.3/ext/soup/gstsouphttpsrc.c(1634): gst_soup_http_src_parse_status (): /GstPlayBin:playbin0/GstURIDecodeBin:uridecodebin0/GstSoupHTTPSrc:source:
Forbidden (403), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
ERROR: pipeline doesn't want to preroll.
Setting pipeline to NULL ...
Freeing pipeline ...
I will open a ticket and create a PR. Although most probably the GTLS_SYSTEM_CA_FILE should be renamed to OPENSSL_SYSTEM_CA_FILE.

Thanks @Taapat for finding the bug ;)


PS. It seems somebody already found the bug: https://github.com/b...0fdd962128c64fa although the code still not merged!

Edited by athoik, 28 March 2017 - 19:55.

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: full ci+ support #140 Taapat

  • PLi® Core member
  • 2,345 posts

+121
Excellent

Posted 28 March 2017 - 19:56

Thank you, that you found the reason and fix :).


Edited by Taapat, 28 March 2017 - 19:56.



10 user(s) are reading this topic

0 members, 10 guests, 0 anonymous users