rtsps encryption key for ffplay

[jav123456]

Hi, probably a beginner question, but I dont understand how rtsps encryption really works :

In the yml config file I set encryption "optional" , I set my user credentials, and I define the key and certificate files .

Then I push an
unencrypted live stream "MyStream" to the server (the stream is created locally in the server )

Then in the remote client side I want an encrypted connection, so I use:

ffplay rtsps://MyUser:MyPassword@server_ip:8555/MyStream

And it works, but the fact is that I didn't had to pass any key to ffplay, which is a bit surprising to me.
Does it mean that the communication is not really encrypted or is it that ffplay can decrypt rtsps streams without the need to pass any key to it (maybe by interchanging some keys when the communication is stablished somehow ? )

[aler9]

And it works, but the fact is that I didn't had to pass any key to ffplay, which is a bit surprising to me.
Does it mean that the communication is not really encrypted or is it that ffplay can decrypt rtsps streams without the need to pass any key to it (maybe by interchanging some keys when the communication is stablished somehow ? )

ffplay and ffmpeg don't check the server TLS certificate when dealing with RTSPS. Communication is encrypted, certificates are exchanged between server and clients, but the server certificate is not checked.

This is slightly more secure than using the unencrypted RTSP, but an attacker could take control of the connection if he can hack into the TLS handshake and replace the server certificate with another one.

rtsp-simple-server doesn't suffer from this problem when proxing RTSPS streams (it checks the server certificate against sourceFingerprint), while ffmpeg does. If you're interested in solving the issue, try to contact the ffmpeg team.