Skip to main content
gortsplib supports end-to-end encryption using TLS for the control channel (RTSPS) and SRTP/SRTCP for media packets. Both are enabled by setting a single field on the Server struct.

TLSConfig

Set Server.TLSConfig to a *tls.Config to enable secure mode. When set:
  • The server accepts only TLS connections on RTSPAddress (RTSPS, default port 8322).
  • SRTP/SRTCP is automatically negotiated for media packets on UDP transport.
  • The SDP sent to clients uses the SAVP transport profile instead of AVP.
cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
if err != nil {
    panic(err)
}

s := &gortsplib.Server{
    Handler:     h,
    TLSConfig:   &tls.Config{Certificates: []tls.Certificate{cert}},
    RTSPAddress: ":8322",
    // UDP ports for SRTP/SRTCP
    UDPRTPAddress:  ":8004",
    UDPRTCPAddress: ":8005",
}
When TLSConfig is set, TCP transport is encrypted via TLS and UDP transport is encrypted via SRTP/SRTCP. Both are negotiated automatically — no additional configuration is needed.

TLS and SRTP interaction

SRTP key material is generated per stream when ServerStream.Initialize() is called. The keys are exchanged over the TLS-protected RTSP channel using MIKEY, embedded in the SDP. Clients that support SAVP will use these keys to encrypt and decrypt UDP media packets.

Full example

server-secure/main.go
// Package main contains an example.
package main

import (
	"crypto/tls"
	"log"
	"sync"

	"github.com/pion/rtp"

	"github.com/bluenviron/gortsplib/v5"
	"github.com/bluenviron/gortsplib/v5/pkg/base"
	"github.com/bluenviron/gortsplib/v5/pkg/description"
	"github.com/bluenviron/gortsplib/v5/pkg/format"
)

// This example shows how to:
// 1. create a RTSP server which uses secure protocols only (RTSPS, TLS, SRTP, SRTCP).
// 2. allow a single client to publish a stream.
// 3. allow several clients to read the stream.

type serverHandler struct {
	server    *gortsplib.Server
	mutex     sync.RWMutex
	stream    *gortsplib.ServerStream
	publisher *gortsplib.ServerSession
}

// called when a connection is opened.
func (sh *serverHandler) OnConnOpen(_ *gortsplib.ServerHandlerOnConnOpenCtx) {
	log.Printf("conn opened")
}

// called when a connection is closed.
func (sh *serverHandler) OnConnClose(ctx *gortsplib.ServerHandlerOnConnCloseCtx) {
	log.Printf("conn closed (%v)", ctx.Error)
}

// called when a session is opened.
func (sh *serverHandler) OnSessionOpen(_ *gortsplib.ServerHandlerOnSessionOpenCtx) {
	log.Printf("session opened")
}

// called when a session is closed.
func (sh *serverHandler) OnSessionClose(ctx *gortsplib.ServerHandlerOnSessionCloseCtx) {
	log.Printf("session closed")

	sh.mutex.RLock()
	defer sh.mutex.RUnlock()

	// if the session is the publisher,
	// close the stream and disconnect any reader.
	if sh.stream != nil && ctx.Session == sh.publisher {
		sh.stream.Close()
		sh.stream = nil
	}
}

// called when receiving a DESCRIBE request.
func (sh *serverHandler) OnDescribe(
	_ *gortsplib.ServerHandlerOnDescribeCtx,
) (*base.Response, *gortsplib.ServerStream, error) {
	log.Printf("DESCRIBE request")

	sh.mutex.RLock()
	defer sh.mutex.RUnlock()

	// no one is publishing yet
	if sh.stream == nil {
		return &base.Response{
			StatusCode: base.StatusNotFound,
		}, nil, nil
	}

	// send medias that are being published to the client
	return &base.Response{
		StatusCode: base.StatusOK,
	}, sh.stream, nil
}

// called when receiving an ANNOUNCE request.
func (sh *serverHandler) OnAnnounce(ctx *gortsplib.ServerHandlerOnAnnounceCtx) (*base.Response, error) {
	log.Printf("ANNOUNCE request")

	sh.mutex.RLock()
	defer sh.mutex.RUnlock()

	// disconnect existing publisher
	if sh.stream != nil {
		sh.stream.Close()
		sh.publisher.Close()
	}

	// create the stream and save the publisher
	sh.stream = &gortsplib.ServerStream{
		Server: sh.server,
		Desc:   ctx.Description,
	}
	err := sh.stream.Initialize()
	if err != nil {
		panic(err)
	}
	sh.publisher = ctx.Session

	return &base.Response{
		StatusCode: base.StatusOK,
	}, nil
}

// called when receiving a SETUP request.
func (sh *serverHandler) OnSetup(
	ctx *gortsplib.ServerHandlerOnSetupCtx,
) (*base.Response, *gortsplib.ServerStream, error) {
	log.Printf("SETUP request")

	// SETUP is used by both readers and publishers. In case of publishers, just return StatusOK.
	if ctx.Session.State() == gortsplib.ServerSessionStatePreRecord {
		return &base.Response{
			StatusCode: base.StatusOK,
		}, nil, nil
	}

	sh.mutex.RLock()
	defer sh.mutex.RUnlock()

	// no one is publishing yet
	if sh.stream == nil {
		return &base.Response{
			StatusCode: base.StatusNotFound,
		}, nil, nil
	}

	return &base.Response{
		StatusCode: base.StatusOK,
	}, sh.stream, nil
}

// called when receiving a PLAY request.
func (sh *serverHandler) OnPlay(_ *gortsplib.ServerHandlerOnPlayCtx) (*base.Response, error) {
	log.Printf("PLAY request")

	return &base.Response{
		StatusCode: base.StatusOK,
	}, nil
}

// called when receiving a RECORD request.
func (sh *serverHandler) OnRecord(ctx *gortsplib.ServerHandlerOnRecordCtx) (*base.Response, error) {
	log.Printf("RECORD request")

	// called when receiving a RTP packet
	ctx.Session.OnPacketRTPAny(func(medi *description.Media, _ format.Format, pkt *rtp.Packet) {
		// route the RTP packet to all readers
		err := sh.stream.WritePacketRTP(medi, pkt)
		if err != nil {
			log.Printf("ERR: %v", err)
		}
	})

	return &base.Response{
		StatusCode: base.StatusOK,
	}, nil
}

func main() {
	// load certificates - they can be generated with
	// openssl genrsa -out server.key 2048
	// openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
	cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
	if err != nil {
		panic(err)
	}

	// configure the server.
	// when TLSConfig is set, only secure protocols are used.
	h := &serverHandler{}
	h.server = &gortsplib.Server{
		Handler:           h,
		TLSConfig:         &tls.Config{Certificates: []tls.Certificate{cert}},
		RTSPAddress:       ":8322",
		UDPRTPAddress:     ":8004",
		UDPRTCPAddress:    ":8005",
		MulticastIPRange:  "224.1.0.0/16",
		MulticastRTPPort:  8006,
		MulticastRTCPPort: 8007,
	}

	// start server and wait until a fatal error
	log.Printf("server is ready on %s", h.server.RTSPAddress)
	panic(h.server.StartAndWait())
}

Generating a self-signed certificate

For development and testing you can generate a self-signed certificate with OpenSSL: 
openssl genrsa -out server.key 2048
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
This produces server.key (private key) and server.crt (certificate), which you load with tls.LoadX509KeyPair.
Self-signed certificates are suitable for local development only. Clients will reject them unless configured to skip certificate verification. Use a certificate signed by a trusted CA for production deployments.

Connecting to a secure server

Clients connect using the rtsps:// scheme. For example, to test with FFmpeg: 
# Publish (ignore certificate errors for self-signed cert)
ffmpeg -re -i input.mp4 -c copy -f rtsp rtsps://localhost:8322/mystream

# Read
ffplay -rtsp_transport tcp rtsps://localhost:8322/mystream