[HTTPS] Can't open a camera network stream H264 + HTTPS

[sly078]

Hi,

I run VLC 1.0.5 for Windows (Graphical User Interface). I have a Panasonic camera on my local network. If I configure my camera in H264 + HTTP, I can open the network stream with VLC : I choose HTTP protocol and tip the address http://192.42.172.250:12345/nphH264AACa ... on=320x240. VLC asks me login/pass of the camera. After, the stream opens, I have audio and video.

When I configure my camera in H264 + HTTPS, I choose HTTPS protocol in VLC and tip the address https://192.42.172.250:12345/nphH264AAC ... on=320x240. VLC can't open the stream (before asking me login/pass).

In VLC log, I have :

Code: Select all

main debug: `https://192.42.172.250:12345/nphH264AACauth?Resolution=320x240 ' gives access `https' demux `' path `192.42.172.250:12345/nphH264AACauth?Resolution=320x240 ' main debug: creating demux: access='https' demux='' path='192.42.172.250:12345/nphH264AACauth?Resolution=320x240 ' main debug: looking for access_demux module: 0 candidates main debug: no access_demux module matched "https" main debug: TIMER module_need() : 0.000 ms - Total 0.000 ms / 1 intvls (Avg 0.000 ms) main debug: creating access 'https' path='192.42.172.250:12345/nphH264AACauth?Resolution=320x240 ' main debug: looking for access module: 1 candidate access_http debug: http: server='192.42.172.250' port=12345 file='/nphH264AACauth?Resolution=320x240++ main debug: net: connecting to 192.42.172.250 port 12345 main debug: connection: Resource temporarily unavailable main debug: connection succeeded (socket = 2784) main debug: requested server name: 192.42.172.250 main debug: looking for tls client module: 1 candidate qt4 debug: IM: Setting an input qt4 debug: Updating the geometry qt4 debug: Updating the geometry gnutls debug: GnuTLS v2.8.5 initialized gnutls warning: cannot add x509 credentials (C:\Documents and Settings\All Users\Application Data/ssl/certs/ca-certificates.crt): No such file or directory main debug: using tls client module "gnutls" main debug: TIMER module_need() : 246.000 ms - Total 246.000 ms / 1 intvls (Avg 246.000 ms) gnutls error: TLS session: access denied gnutls error: Certificate could not be verified gnutls error: Certificate's signer was not found main error: TLS client session handshake error gnutls debug: GnuTLS deinitialized main debug: removing module "gnutls" access_http error: cannot establish HTTP/TLS session main warning: no access module matching "https" could be loaded

In Wireshark :

Code: Select all

No. Time Source Destination Protocol Info 80 6.825686 192.42.172.142 192.42.172.250 TCP infocrypt > italk [SYN] Seq=0 Win=16384 Len=0 MSS=1460 81 6.826749 192.42.172.250 192.42.172.142 TCP italk > infocrypt [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1460 82 6.826805 192.42.172.142 192.42.172.250 TCP infocrypt > italk [ACK] Seq=1 Ack=1 Win=17520 Len=0 83 6.841234 192.42.172.142 192.42.172.250 TCP infocrypt > italk [PSH, ACK] Seq=1 Ack=1 Win=17520 Len=98 84 6.845263 192.42.172.250 192.42.172.142 TCP italk > infocrypt [PSH, ACK] Seq=1 Ack=99 Win=4096 Len=79 87 6.991064 192.42.172.142 192.42.172.250 TCP infocrypt > italk [ACK] Seq=99 Ack=80 Win=17441 Len=0 88 6.992696 192.42.172.250 192.42.172.142 TCP italk > infocrypt [PSH, ACK] Seq=80 Ack=99 Win=4096 Len=453 89 6.994604 192.42.172.142 192.42.172.250 TCP infocrypt > italk [PSH, ACK] Seq=99 Ack=533 Win=16988 Len=139 96 7.289603 192.42.172.250 192.42.172.142 TCP italk > infocrypt [ACK] Seq=533 Ack=238 Win=4096 Len=0 97 7.289623 192.42.172.142 192.42.172.250 TCP infocrypt > italk [PSH, ACK] Seq=238 Ack=533 Win=16988 Len=43 101 7.484408 192.42.172.250 192.42.172.142 TCP italk > infocrypt [PSH, ACK] Seq=533 Ack=281 Win=4096 Len=43 102 7.485426 192.42.172.142 192.42.172.250 TCP infocrypt > italk [PSH, ACK] Seq=281 Ack=576 Win=16945 Len=23 103 7.485716 192.42.172.142 192.42.172.250 TCP infocrypt > italk [FIN, ACK] Seq=304 Ack=576 Win=16945 Len=0 104 7.486855 192.42.172.250 192.42.172.142 TCP italk > infocrypt [ACK] Seq=576 Ack=305 Win=4073 Len=0 105 7.495599 192.42.172.250 192.42.172.142 TCP italk > infocrypt [FIN, ACK] Seq=576 Ack=305 Win=4096 Len=0 106 7.495620 192.42.172.142 192.42.172.250 TCP infocrypt > italk [ACK] Seq=305 Ack=577 Win=16945 Len=0

If I change port to 443, I try to open https://192.42.172.250/nphH264AACauth?R ... on=320x240, VLC still can't open it. VLC log is the same but Wireshark log is not :

Code: Select all

No. Time Source Destination Protocol Info 130 8.547996 192.42.172.142 192.42.172.250 TCP dict-lookup > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460 131 8.549043 192.42.172.250 192.42.172.142 TCP https > dict-lookup [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1460 132 8.549133 192.42.172.142 192.42.172.250 TCP dict-lookup > https [ACK] Seq=1 Ack=1 Win=17520 Len=0 133 8.554577 192.42.172.142 192.42.172.250 TLSv1.1 Client Hello 134 8.558609 192.42.172.250 192.42.172.142 TLSv1.1 Server Hello 137 8.684000 192.42.172.142 192.42.172.250 TCP dict-lookup > https [ACK] Seq=99 Ack=80 Win=17441 Len=0 138 8.685555 192.42.172.250 192.42.172.142 TLSv1.1 Certificate, Server Hello Done 139 8.686956 192.42.172.142 192.42.172.250 TLSv1.1 Client Key Exchange 142 8.968452 192.42.172.250 192.42.172.142 TCP https > dict-lookup [ACK] Seq=533 Ack=238 Win=4096 Len=0 143 8.968474 192.42.172.142 192.42.172.250 TLSv1.1 Change Cipher Spec, Encrypted Handshake Message 150 9.168511 192.42.172.250 192.42.172.142 TLSv1.1 Change Cipher Spec, Encrypted Handshake Message 151 9.169268 192.42.172.142 192.42.172.250 TLSv1.1 Encrypted Alert

Can it be a GnuTLS problem ? A certificate problem ? A parameter in VLC I have to change ? I don't find it...

Thanks in advance for your help,

Sly

[sly078]

Code: Select all

gnutls warning: cannot add x509 credentials (C:\Documents and Settings\All Users\Application Data/ssl/certs/ca-certificates.crt): No such file or directory

Actually, my certificate directory is C:\Documents and Settings\AMA\Application Data\vlc\ssl\certs. But it is empty. How can I say to VLC where is the good directory ? Do I have to create a certificate by myself with GnuTLS (like it is explained here for exemple : http://www.gratte.net/docs/html/vlc_sec ... aming.html) ?

Also, in VLC Preferencies > Output stream > Output module > HTTP, the certificate file field is filled with vlc.pem. I don't know where/what is this file...

Sly

[sly078]

Hi,

I still hope having an answer. Please help...

I try to generate a certificate file with Windows version of GnuTLS following the tutorial (http://www.gratte.net/docs/html/vlc-str ... nutls.html).

I tip certtool --generate-privkey --outfile key.pem which generates the key file key.pem.
Then I tip certtool --generate-self-signed --load-privkey key.pem --outfile certificate.pem, but I don't really know what to answer to the questions. It generates the certificate file certificate.pem.

I put these two files in C:\Documents and Settings\AMA\Application Data\vlc\ssl\certs and, in VLC Preferencies > Output stream > Output module > HTTP, I fill the certificate file and private key file fields with absolute path of the files.

I open the network stream again, VLC says :

Code: Select all

gnutls debug: GnuTLS v2.8.5 initialized gnutls debug: added x509 credentials (C:\Documents and Settings\AMA\Application Data\vlc/ssl/certs\certificate.pem) gnutls warning: cannot add x509 credentials (C:\Documents and Settings\AMA\Application Data\vlc/ssl/certs\key.pem): Base64 decoding error. gnutls warning: cannot add x509 credentials (C:\Documents and Settings\All Users\Application Data/ssl/certs/ca-certificates.crt): No such file or directory main debug: using tls client module "gnutls" main debug: TIMER module_need() : 3.000 ms - Total 3.000 ms / 1 intvls (Avg 3.000 ms) gnutls error: TLS session: access denied gnutls error: Certificate could not be verified gnutls error: Certificate's signer was not found main error: TLS client session handshake error gnutls debug: GnuTLS deinitialized

What Am I doing wrong ? What does VLC still try to find the ca-certificates.crt file ?

Sly

[Jean-Baptiste Kempf]

Can you file bug?

[sly078]

Yes I can.

But about what ?

Code: Select all

gnutls warning: cannot add x509 credentials (C:\Documents and Settings\All Users\Application Data/ssl/certs/ca-certificates.crt): No such file or directory

Because, the file doesn't exist, or because VLC searches it even if I specify another file ?

Or about the whole thing ?

Sly

[sly078]

ticket 3666 created.

[Rémi Denis-Courmont]

Your camera certificate is not accepted because the list of root CA is empty. You need to put the correct root cert in the ca-certificates.crt file.

[sly078]

Thanks Rémi.

I red it was possible to open secured stream without certificate at all. May be I'm wrong.

So, I have to find this certificate. You think it may be findable in the camera ? Or I will have to create it with GnuTLS for exemple ?

Sly

[sly078]

I export the certificate with Firefox (it says certificate is not sure because auto signed). I put it in C:\Documents and Settings\AMA\Application Data\vlc\ssl\certs and call it ca-certificates.crt. I open the network stream and log is :

Code: Select all

gnutls debug: GnuTLS v2.8.5 initialized gnutls debug: added x509 credentials (C:\Documents and Settings\AMA\Application Data\vlc/ssl/certs\ca-certificates.crt) gnutls warning: cannot add x509 credentials (C:\Documents and Settings\All Users\Application Data/ssl/certs/ca-certificates.crt): No such file or directory main debug: using tls client module "gnutls" main debug: TIMER module_need() : 3.000 ms - Total 3.000 ms / 1 intvls (Avg 3.000 ms) gnutls debug: TLS/x509 certificate verified main debug: TLS client session initialized access_http debug: protocol 'HTTP' answer code 200 access_http debug: Connection: Keep-Alive access_http debug: Transfer-Encoding: chunked access_http debug: Content-Type: video/h264 main debug: using access module "access_http" main debug: TIMER module_need() : 13441.001 ms - Total 13441.001 ms / 1 intvls (Avg 13441.000 ms) main debug: Using AStream*Stream main debug: pre buffering main error: Read error: No such file or directory access_http debug: failed reading chunk-header line main error: cannot pre fill buffer main warning: cannot create a stream_t from access gnutls debug: GnuTLS deinitialized main debug: removing module "gnutls" main debug: removing module "access_http" main debug: waitpipe: object killed main debug: thread ended main debug: dead input main debug: thread times: real 0m13.437500s, kernel 0m0.718750s, user 0m0.562500s main debug: changing item without a request (current 1/2) main debug: nothing to play qt4 debug: IM: Deleting the input qt4 debug: Updating the geometry qt4 debug: Updating the geometry main debug: TIMER input launching for 'https://192.42.172.250:12345/nphH264AACauth?Resolution=320x240 ' : 13463.001 ms - Total 13463.001 ms / 1 intvls (Avg 13463.000 ms)

The certificate is accepted (VLC still searches another ca-certificates.crt file in All User), VLC asks me login/pass, but VLC raises another error :

Code: Select all

main debug: pre buffering main error: Read error: No such file or directory access_http debug: failed reading chunk-header line main error: cannot pre fill buffer main warning: cannot create a stream_t from access gnutls debug: GnuTLS deinitialized

What does it stand for ?

That's what I have in Wireshark (exchange between PC and camera) :

Code: Select all

No. Time Source Destination Protocol Info 423 25.891329 192.42.172.142 192.42.172.250 TCP g5m > italk [SYN] Seq=0 Win=16384 Len=0 MSS=1460 424 25.892417 192.42.172.250 192.42.172.142 TCP italk > g5m [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1460 425 25.892447 192.42.172.142 192.42.172.250 TCP g5m > italk [ACK] Seq=1 Ack=1 Win=17520 Len=0 426 25.898918 192.42.172.142 192.42.172.250 TCP g5m > italk [PSH, ACK] Seq=1 Ack=1 Win=17520 Len=98 427 25.902788 192.42.172.250 192.42.172.142 TCP italk > g5m [PSH, ACK] Seq=1 Ack=99 Win=4096 Len=79 432 26.195708 192.42.172.142 192.42.172.250 TCP g5m > italk [ACK] Seq=99 Ack=80 Win=17441 Len=0 433 26.197312 192.42.172.250 192.42.172.142 TCP italk > g5m [PSH, ACK] Seq=80 Ack=99 Win=4096 Len=455 434 26.198127 192.42.172.142 192.42.172.250 TCP g5m > italk [PSH, ACK] Seq=99 Ack=535 Win=16986 Len=139 438 26.454463 192.42.172.250 192.42.172.142 TCP italk > g5m [ACK] Seq=535 Ack=238 Win=4096 Len=0 439 26.454490 192.42.172.142 192.42.172.250 TCP g5m > italk [PSH, ACK] Seq=238 Ack=535 Win=16986 Len=43 442 26.690533 192.42.172.250 192.42.172.142 TCP italk > g5m [PSH, ACK] Seq=535 Ack=281 Win=4096 Len=43 443 26.692994 192.42.172.142 192.42.172.250 TCP g5m > italk [PSH, ACK] Seq=281 Ack=578 Win=16943 Len=100 446 26.954636 192.42.172.250 192.42.172.142 TCP italk > g5m [ACK] Seq=578 Ack=381 Win=4096 Len=0 447 26.954676 192.42.172.142 192.42.172.250 TCP g5m > italk [PSH, ACK] Seq=381 Ack=578 Win=16943 Len=210 449 26.988460 192.42.172.250 192.42.172.142 TCP italk > g5m [PSH, ACK] Seq=578 Ack=591 Win=4096 Len=338 450 26.988668 192.42.172.250 192.42.172.142 TCP italk > g5m [FIN, ACK] Seq=916 Ack=591 Win=4096 Len=0 451 26.988683 192.42.172.142 192.42.172.250 TCP g5m > italk [ACK] Seq=591 Ack=917 Win=16605 Len=0 604 38.654200 192.42.172.142 192.42.172.250 TCP g5m > italk [PSH, ACK] Seq=591 Ack=917 Win=16605 Len=23 605 38.654749 192.42.172.142 192.42.172.250 TCP g5m > italk [RST, ACK] Seq=614 Ack=917 Win=0 Len=0 606 38.655005 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [SYN] Seq=0 Win=16384 Len=0 MSS=1460 607 38.655258 192.42.172.250 192.42.172.142 TCP italk > g5m [RST] Seq=917 Win=0 Len=0 608 38.656175 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1460 609 38.656207 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [ACK] Seq=1 Ack=1 Win=17520 Len=0 610 38.672986 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [PSH, ACK] Seq=1 Ack=1 Win=17520 Len=98 611 38.677046 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [PSH, ACK] Seq=1 Ack=99 Win=4096 Len=79 616 38.870017 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [ACK] Seq=99 Ack=80 Win=17441 Len=0 617 38.871725 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [PSH, ACK] Seq=80 Ack=99 Win=4096 Len=455 618 38.872723 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [PSH, ACK] Seq=99 Ack=535 Win=16986 Len=139 630 39.155184 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [ACK] Seq=535 Ack=238 Win=4096 Len=0 631 39.155207 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [PSH, ACK] Seq=238 Ack=535 Win=16986 Len=43 635 39.359693 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [PSH, ACK] Seq=535 Ack=281 Win=4096 Len=43 636 39.361572 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [PSH, ACK] Seq=281 Ack=578 Win=16943 Len=100 653 39.655311 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [ACK] Seq=578 Ack=381 Win=4096 Len=0 654 39.655351 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [PSH, ACK] Seq=381 Ack=578 Win=16943 Len=274 659 39.786152 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [PSH, ACK] Seq=578 Ack=655 Win=4096 Len=90 661 39.839647 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [ACK] Seq=668 Ack=655 Win=4096 Len=1280 662 39.839740 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [ACK] Seq=655 Ack=1948 Win=17520 Len=0 663 39.840916 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [PSH, ACK] Seq=1948 Ack=655 Win=4096 Len=54 664 39.842751 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [PSH, ACK] Seq=2002 Ack=655 Win=4096 Len=1280 665 39.842760 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [PSH, ACK] Seq=655 Ack=2002 Win=17466 Len=23 666 39.845570 192.42.172.250 192.42.172.142 TCP italk > signet-ctf [PSH, ACK] Seq=3282 Ack=678 Win=4073 Len=1280 667 39.845591 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [RST] Seq=678 Win=0 Len=0 668 39.845602 192.42.172.142 192.42.172.250 TCP signet-ctf > italk [RST, ACK] Seq=678 Ack=3282 Win=0 Len=0

And about SSL :

Code: Select all

No. Time Source Destination Protocol Info 124 11.147924 192.42.172.142 192.42.172.250 TLSv1.1 Client Hello 125 11.152328 192.42.172.250 192.42.172.142 TLSv1.1 Server Hello 129 11.341373 192.42.172.250 192.42.172.142 TLSv1.1 Certificate, Server Hello Done 130 11.343294 192.42.172.142 192.42.172.250 TLSv1.1 Client Key Exchange 135 11.635288 192.42.172.142 192.42.172.250 TLSv1.1 Change Cipher Spec, Encrypted Handshake Message 137 11.828612 192.42.172.250 192.42.172.142 TLSv1.1 Change Cipher Spec, Encrypted Handshake Message 138 11.830463 192.42.172.142 192.42.172.250 TLSv1.1 Application Data 142 12.035449 192.42.172.142 192.42.172.250 TLSv1.1 Application Data, Application Data, Application Data, Application Data 143 12.069352 192.42.172.250 192.42.172.142 TLSv1.1 Application Data 148 12.286310 192.42.172.142 209.85.227.17 TCP [TCP segment of a reassembled PDU] 149 12.286319 192.42.172.142 209.85.227.17 TLSv1 Application Data 152 12.380818 209.85.227.17 192.42.172.142 TLSv1 Application Data, Application Data 156 12.764691 209.85.229.83 192.42.172.142 TLSv1 Application Data 157 12.765502 209.85.229.83 192.42.172.142 TLSv1 Application Data 159 12.766030 192.42.172.142 209.85.229.83 TLSv1 Encrypted Alert 161 12.777504 192.42.172.142 209.85.227.17 TCP [TCP segment of a reassembled PDU] 162 12.777513 192.42.172.142 209.85.227.17 TLSv1 Application Data 168 12.857236 209.85.227.17 192.42.172.142 TLSv1 Application Data, Application Data 214 16.562474 192.42.172.142 192.42.172.250 TLSv1.1 Encrypted Alert 220 16.578550 192.42.172.142 192.42.172.250 TLSv1.1 Client Hello 221 16.582495 192.42.172.250 192.42.172.142 TLSv1.1 Server Hello 226 16.773101 192.42.172.250 192.42.172.142 TLSv1.1 Certificate, Server Hello Done 227 16.773965 192.42.172.142 192.42.172.250 TLSv1.1 Client Key Exchange 232 17.035566 192.42.172.142 192.42.172.250 TLSv1.1 Change Cipher Spec, Encrypted Handshake Message 235 17.259143 192.42.172.250 192.42.172.142 TLSv1.1 Change Cipher Spec, Encrypted Handshake Message 236 17.261023 192.42.172.142 192.42.172.250 TLSv1.1 Application Data 240 17.535585 192.42.172.142 192.42.172.250 TLSv1.1 Application Data, Application Data, Application Data, Application Data, Application Data 242 17.686591 192.42.172.250 192.42.172.142 TLSv1.1 Application Data 243 17.721853 192.42.172.250 192.42.172.142 TLSv1.1 Application Data, 245 17.722661 192.42.172.142 192.42.172.250 TLSv1.1 Encrypted Alert 246 17.723060 192.42.172.250 192.42.172.142 TCP [TCP segment of a reassembled PDU] 248 17.725269 192.42.172.250 192.42.172.142 TLSv1.1 Continuation Data 583 37.247326 209.85.227.17 192.42.172.142 TLSv1 Application Data

[Rémi Denis-Courmont]

It is in principle possible to play encrypted streams without certificate. But then it really makes no sense to encrypt, so VLC does not allow this currently.

The Wireshark capture are unfortunately useless because of encryption. In any case, I am not sure if VLC supports TLS at all on Windows.

[sly078]

Ok, but how can I be sure VLC doesn't support TLS on Windows ? And, if it is really the case, can I create a feature request in the forum ?

[sly078]

I tried to open the same network stream with VLC on Linux and, once certificate is ok, it works. So, this is really a Windows problem.

[sly078]

Since ticket 3666 has been invalidated, I have created ticket 3682 to tell VLC doesn't support TLS on Windows