Secure RTSP with RTSPS

Protect your RTSP streams using TLS encryption (RTSPS). Learn how to configure secure communication, certificates, and ports.

What is RTSPS?

RTSPS (RTSP over TLS/SSL) encrypts the entire RTSP control channel, protecting your signaling data (like URLs, authentication) from eavesdropping and man-in-the-middle attacks.

It works similarly to HTTPS, wrapping the RTSP protocol in a TLS layer. The standard port for RTSPS is 322, though any port can be used.

How RTSPS Works

  • TLS Handshake: Client and server establish a secure connection using the provided certificate and private key.
  • Encrypted Channel: All RTSP commands (DESCRIBE, SETUP, PLAY, TEARDOWN) are encrypted.
  • Certificate Verification: The client verifies the server's identity using the certificate.

This is essential for environments where sensitive camera URLs or credentials are transmitted over untrusted networks.

Configuration Guide

Enable RTSPS support in the Happytime RTSP Server by modifying the rtspserver.cfg file.

rtspserver.cfg

rtspserver.cfg
<config>
    <serverip>192.168.1.100</serverip>
    <rtsp_port>554</rtsp_port>
    <!-- Enable RTSPS (TLS) -->
    <rtsps_enable>1</rtsps_enable>
    <!-- RTSPS service port (traditionally 322) -->
    <rtsps_port>322</rtsps_port>
    <!-- Path to TLS certificate -->
    <rtsps_cert>ssl.ca</rtsps_cert>
    <!-- Path to private key -->
    <rtsps_key>ssl.key</rtsps_key>
    <!-- ... other settings -->
</config>

Security Warnings

Linux Privilege Note: Ports below 1024 (like 322) require root privileges to bind. Consider using a higher port (e.g., 8322) for non-root operation.
Self-Signed Certificates: The default ssl.ca and ssl.key files are self-signed. Browsers and clients will show a security warning. Do not use them in production. Replace with certificates from a trusted CA (e.g., Let's Encrypt).

Testing RTSPS Streams

Use tools that support RTSPS to test your encrypted stream.

Using FFplay

Command
ffplay "rtsps://192.168.1.100:322/myapp/live"

Using Happytime RTSP Client

Enter the RTSPS URL (rtsps://...) in the client application.

Best Practices

  • Use Trusted Certificates: Obtain certificates from a trusted Certificate Authority (CA) like Let's Encrypt for production use.
  • Secure Private Keys: Ensure the private key file (.key) has strict file permissions (e.g., 600).
  • Firewall Configuration: Open the RTSPS port (e.g., 322 or 8322) in your firewall.
  • Port Choice: If running as a non-root user, use a port > 1024 (e.g., 8322) to avoid privilege issues.
  • Client Compatibility: Ensure your RTSP client (VLC, FFmpeg, etc.) supports RTSPS.