342 replies to this topic

[samsamsam]

@athoik

I wrote about HTTPS you show configuration which probably is related with AES encryption of HLS chunks - these are two different things.

 

I am talking about this:

/usr/lib/gio/modules/libgiognutls.so

 

This glib module is used as TLS backend (for HTTPS connection with glib networrking). This is used by gstreamer for HTTPS connections.

 

Regards,

SSS

Edited by samsamsam, 22 March 2017 - 23:02.

[athoik]

My gut feeling says that vdr-portal might be the one. Or tveheadent or...

@yuri666, post a link once published.

[athoik]

@samsamsam,

Indeed, the glib-networking package has a strong depedency on gnutls.

/opt/openpli/openpli5$ find openembedded-core/ meta-openembedded/ -type f | xargs fgrep gnutls|grep glib-net
openembedded-core/meta/recipes-core/glib-networking/glib-networking_2.48.2.bb:PACKAGECONFIG ??= "ca-certificates gnutls"
openembedded-core/meta/recipes-core/glib-networking/glib-networking_2.48.2.bb:PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls

Maybe that package is a replacement https://github.com/GNOME/glib-openssl but not sure if ready.

[MastaG]

Thanks athoik and sss for the heads up

[samsamsam]

@athoik

 

That's what I wrote about:

 

The gnutls  is much, much slower than OpenSSL. So, maybe the first step will be to change change default gnutls backend to openssl backend for gio-networking?

 

 

glib-openssl is working very well. I've been using it for some time now.

 

Regards,

SSS

Edited by samsamsam, 23 March 2017 - 09:01.

[athoik]

For OpenPLi Next the following does the job.

1. Create folder glib-networking in meta-openpli

2. Add glib-openssl_2.50.1.bb

SUMMARY = "GLib networking for tls using openssl"
DESCRIPTION = "This is a fork of glib-networking providing only tls support using openssl. As a side point it fully supports Windows."
HOMEPAGE = "http://git.gnome.org/browse/glib-openssl/"
BUGTRACKER = "http://bugzilla.gnome.org"

LICENSE = "LGPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"

SECTION = "libs"
DEPENDS = "glib-2.0 intltool-native openssl"

SRC_URI[archive.md5sum] = "de9f89e0e7d9aa973e6edffe78b82ce8"
SRC_URI[archive.sha256sum] = "23203c8f83e9442c51aeff75959470531135eb3872b638791de6a6f7fee65a9b"

inherit gnomebase gettext upstream-version-is-even gio-module-cache

FILES_${PN} += "${libdir}/gio/modules/libgio*.so ${datadir}/dbus-1/services/"
FILES_${PN}-dev += "${libdir}/gio/modules/libgio*.la"
FILES_${PN}-staticdev += "${libdir}/gio/modules/libgio*.a"

3. Add glib-networking_2.%.bbappend

PACKAGECONFIG = "ca-certificates"
RDEPENDS_${PN} += "glib-openssl"
ALLOW_EMPTY_${PN} = "1"

4. Upgrade will remove old gnutls and will bring openssl.

# opkg upgrade
Upgrading glib-networking from 2.48.2-r0.0 to 2.48.2-r1 on root.
Upgrading glib-openssl (2.50.1) on root.
Downloading http://.../feeds/openpli-5/cortexa15hf-neon-vfpv4/glib-openssl_2.50.1-r0_cortexa15hf-neon-vfpv4.ipk.
Upgrading glib-networking (2.48.2) on root.
Downloading http://.../feeds/openpli-5/cortexa15hf-neon-vfpv4/glib-networking_2.48.2-r1_cortexa15hf-neon-vfpv4.ipk.
Removing obsolete file /usr/lib/gio/modules/libgiognutls.so.
Configuring glib-openssl.
Configuring glib-networking.

Any idea how to test before create PR?


PS. gnutls still used by curl and samba...

# opkg remove libgnutls30
No packages removed.
Collected errors:
 * print_dependents_warning: Package libgnutls30 is depended upon by packages:
 * print_dependents_warning:    libldap-2.4-2
 * print_dependents_warning:    libcurl4

[samsamsam]

@athoik

 

curl also can works with OpenSSL without problems.

 

About test you can try to play any HTTPS stream in gstreamer.

[athoik]

@samsamsam, seems good, thanks for the info

# gst-launch-1.0 souphttpsrc location=https://.../bip-bop-all.ts ssl-strict=false ! fakesink
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
^Chandling interrupt.
Interrupt: Stopping pipeline ...
Execution ended after 0:00:46.320165750
Setting pipeline to PAUSED ...
Setting pipeline to READY ...
Setting pipeline to NULL ...
Freeing pipeline ...

# strace gst-launch-1.0 souphttpsrc location=https://.../bip-bop-all.ts ssl-strict=false ! fakesink 2>&1 | grep openssl
stat64("/usr/lib/gio/modules/libgioopenssl.so", {st_mode=S_IFREG|0755, st_size=64440, ...}) = 0
stat64("/usr/lib/gio/modules/libgioopenssl.so", {st_mode=S_IFREG|0755, st_size=64440, ...}) = 0
open("/usr/lib/gio/modules/libgioopenssl.so", O_RDONLY|O_CLOEXEC) = 6
stat64("/usr/lib/gio/modules/libgioopenssl.so", {st_mode=S_IFREG|0755, st_size=64440, ...}) = 0
open("/usr/lib/gio/modules/libgioopenssl.so", O_RDONLY|O_CLOEXEC) = 6
^C

PR: https://github.com/O...e-core/pull/190

[WanWizard]

Merged.

[Taapat]

Merged.

 

I do not know why, but after these changes I have problems with some HTTPS streams.

After these changes I have error:

[eServiceMP3] Gstreamer error: Secure connection setup failed.: ../../../git/ext/soup/gstsouphttpsrc.c(1279): gst_soup_http_src_parse_status (): /GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstHLSDemux:hlsdemux0/GstBin:srcbin-src_0/GstSoupHTTPSrc:souphttpsrc0:
Unacceptable TLS certificate (6), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)

As far as I understand that it should fix this error, but it does not work: https://github.com/O...67194562bb09925

 

If I revert this changes, this link will work without problems.

[athoik]

Did you install ca-certificates?

PS. SSL test seem fine: https://www.ssllabs....googlevideo.com

Edited by athoik, 28 March 2017 - 17:04.

[Taapat]

Yes of course, they are in dependencies.

[samsamsam]

 

Merged.

 

I do not know why, but after these changes I have problems with some HTTPS streams.

After these changes I have error:

[eServiceMP3] Gstreamer error: Secure connection setup failed.: ../../../git/ext/soup/gstsouphttpsrc.c(1279): gst_soup_http_src_parse_status (): /GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstHLSDemux:hlsdemux0/GstBin:srcbin-src_0/GstSoupHTTPSrc:souphttpsrc0:
Unacceptable TLS certificate (6), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)

As far as I understand that it should fix this error, but it does not work: https://github.com/O...67194562bb09925

 

If I revert this changes, this link will work without problems.

 

 

This is temporary link, so hard to check. Can you provide static HTTPS link which is causing such problem?

[Taapat]

As I wrote it only on some HTTPS streams and not on all.

Therefore, I can not give you static link, because I have not yet found it.

 

I found this link because it is a link which I usually use to tested m3u8 live stream working.

This is the Ukrainian broadcast live stream in youtube if you search in it for 112 (blue round emblem with the digits 112).

 

P.S.

And this problem exist only on gstreamer. With ffmpeg this link working.

Edited by Taapat, 28 March 2017 - 17:15.

[athoik]

Just using that stream is enough to raise the issue with playbin.

# gst-launch-1.0 playbin uri="https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/7044
61/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo
.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expir
e=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&si
gnature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062
055194&govp=clen=606000;lmt=1490714062055194&dur=5.000"
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
ERROR: from element /GstPlayBin:playbin0/GstURIDecodeBin:uridecodebin0/GstSoupHTTPSrc:source: Secure connection setup failed.
Additional debug info:
../../../gst-plugins-good-1.8.3/ext/soup/gstsouphttpsrc.c(1578): gst_soup_http_src_parse_status (): /GstPlayBin:playbin0/GstURIDecodeBin:uridecodebin0/GstSoupHTTPSrc:source:
Unacceptable TLS certificate (6), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
ERROR: pipeline doesn't want to preroll.
Setting pipeline to NULL ...
Freeing pipeline ...

But using souphttpsrc the TLS ssl-strict works.

# gst-launch-1.0 souphttpsrc location="https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcas
t/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.go
oglevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbit
s=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms
,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1
490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000" ssl-strict=false
Setting pipeline to PAUSED ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
ERROR: from element /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0: Forbidden
Additional debug info:
../../../gst-plugins-good-1.8.3/ext/soup/gstsouphttpsrc.c(1634): gst_soup_http_src_parse_status (): /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0:
Forbidden (403), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
Execution ended after 0:00:00.586707037
Setting pipeline to PAUSED ...
Setting pipeline to READY ...
Setting pipeline to NULL ...
Freeing pipeline ...

So at least somehow reproducible.

[athoik]

Stracing the gst-launch-1.0 there is no attempt to "open" /etc/ssl/certs/ca-certificates.crt file!


Setting manually the ssl-ca-file=/etc/ssl/certs/ca-certificates.crt verifies the certificate (and OFC strace open that file).

gst-launch-1.0 souphttpsrc location="https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcas
t/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.go
oglevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbit
s=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms
,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1
490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000" ssl-ca-file=/etc/ssl/certs/ca-certificates.crt
Setting pipeline to PAUSED ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
ERROR: from element /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0: Forbidden
Additional debug info:
../../../gst-plugins-good-1.8.3/ext/soup/gstsouphttpsrc.c(1634): gst_soup_http_src_parse_status (): /GstPipeline:pipeline0/GstSoupHTTPSrc:souphttpsrc0:
Forbidden (403), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
Execution ended after 0:00:00.503175926
Setting pipeline to PAUSED ...
Setting pipeline to READY ...
Setting pipeline to NULL ...
Freeing pipeline ...

[Taapat]

But why now you need setting manually the certificate file?

Edited by Taapat, 28 March 2017 - 17:51.

[Taapat]

Strange if I for test use in servicemp3.cpp:

if (g_object_class_find_property(G_OBJECT_GET_CLASS(source), "ssl-ca-file") != 0)
{
g_object_set(G_OBJECT(source), "ssl-ca-file", "/etc/ssl/certs/ca-certificates.crt", NULL);
}

It also does not help.

 

It looks like the gstreamer not use these properties from the servicemp3.cpp?

But how it relates to the ssl changes, why after revert work? 

[athoik]

It seems that libgiognutls.so has a reference to ca-certificates default file.
 

# strings -a /usr/lib/gio/modules/libgiognutls.so | grep ca-certificates
/etc/ssl/certs/ca-certificates.crt
# strings -a /usr/lib/gio/modules/libgioopenssl.so  | grep ca-certificates

It seems that they forgot to initialize the GTLS_SYSTEM_CA_FILE!

See: https://github.com/G...ssl.c#L187-L189


https://github.com/G...M_CA_FILE&type=

VS

https://github.com/G...M_CA_FILE&type=

Adding the following patch to glib-openssl fixes the problem...
 

diff --git a/configure.ac b/configure.ac
index d99aeb1..baa2516 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,6 +56,32 @@ AM_CONDITIONAL(HAVE_OPENSSL, [test "$with_openssl" = "yes"])
 AC_SUBST(OPENSSL_CFLAGS)
 AC_SUBST(OPENSSL_LIBS)

+if test "$with_openssl" = "yes"; then
+    AC_MSG_CHECKING([location of system Certificate Authority list])
+    AC_ARG_WITH(ca-certificates,
+               [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
+                               [path to system Certificate Authority list])])
+    if test "$with_ca_certificates" = "no"; then
+        AC_MSG_RESULT([disabled])
+    else
+        if test -z "$with_ca_certificates"; then
+           for f in /etc/pki/tls/certs/ca-bundle.crt \
+                    /etc/ssl/certs/ca-certificates.crt \
+                    /etc/ssl/ca-bundle.pem; do
+               if test -f "$f"; then
+                   with_ca_certificates="$f"
+               fi
+           done
+           if test -z "$with_ca_certificates"; then
+               AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
+           fi
+        fi
+
+        AC_MSG_RESULT($with_ca_certificates)
+        AC_DEFINE_UNQUOTED(GTLS_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list])
+    fi
+fi
+
 dnl ************************************
 dnl *** Enable lcov coverage reports ***
 dnl ************************************

And with the patch, results, are back to normal!
 

# strings -a /usr/lib/gio/modules/libgioopenssl.so  | grep ca-certificates
/etc/ssl/certs/ca-certificates.crt

# gst-launch-1.0 playbin uri="https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704
461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevid
eo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&ex
pire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,p
l&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=14907
14062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000"
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
ERROR: from element /GstPlayBin:playbin0/GstURIDecodeBin:uridecodebin0/GstSoupHTTPSrc:source: Forbidden
Additional debug info:
../../../gst-plugins-good-1.8.3/ext/soup/gstsouphttpsrc.c(1634): gst_soup_http_src_parse_status (): /GstPlayBin:playbin0/GstURIDecodeBin:uridecodebin0/GstSoupHTTPSrc:source:
Forbidden (403), URL: https://r4---sn-a5uoxu-gpme.googlevideo.com/videoplayback/id/vGNm5IFXm8U.4/itag/95/source/yt_live_broadcast/sq/704461/file/seg.ts?requiressl=yes&ratebypass=yes&cmbypass=yes&goi=160&sgoap=gir=yes;itag=140&sgovp=gir=yes;itag=136&hls_chunk_host=r4---sn-a5uoxu-gpme.googlevideo.com&ei=2X3aWPfuDZmY1gLJp4b4AQ&gcr=lv&playlist_type=DVR&mm=32&mn=sn-a5uoxu-gpme&ms=lv&mv=u&pl=21&upn=cDBJLB9Tc0Y&mt=1490713913&ip=159.148.29.37&ipbits=0&expire=1490735672&sparams=ip,ipbits,expire,id,itag,source,requiressl,ratebypass,live,cmbypass,goi,sgoap,sgovp,hls_chunk_host,ei,gcr,playlist_type,mm,mn,ms,mv,pl&signature=7376E173010A4DF7BD61AADDFB5116647C53ED10.7201CC052478B9FF147D0D8C4F7B9EE693261887&key=dg_yt0&playlist=index.m3u8&live=1&goap=clen=81233;lmt=1490714062055194&govp=clen=606000;lmt=1490714062055194&dur=5.000, Redirect to: (NULL)
ERROR: pipeline doesn't want to preroll.
Setting pipeline to NULL ...
Freeing pipeline ...

I will open a ticket and create a PR. Although most probably the GTLS_SYSTEM_CA_FILE should be renamed to OPENSSL_SYSTEM_CA_FILE.

Thanks @Taapat for finding the bug


PS. It seems somebody already found the bug: https://github.com/b...0fdd962128c64fa although the code still not merged!

Edited by athoik, 28 March 2017 - 19:55.

[Taapat]

Thank you, that you found the reason and fix .

Edited by Taapat, 28 March 2017 - 19:56.