diff --git a/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c b/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c
index 2e421c8e97..67df9a6b18 100644
--- a/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c
+++ b/subprojects/gst-plugins-bad/gst/rtmp2/gstrtmp2locationhandler.c
@@ -84,6 +84,22 @@ gst_rtmp_location_handler_default_init (GstRtmpLocationHandlerInterface * iface)
   g_object_interface_install_property (iface, g_param_spec_uint ("timeout",
           "Timeout", "RTMP timeout in seconds", 0, G_MAXUINT, DEFAULT_TIMEOUT,
           G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
+  /**
+   * GstRtmpLocationHandler::tls-validation-flags:
+   *
+   * TLS certificate validation flags used to validate server
+   * certificate.
+   *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   */
   g_object_interface_install_property (iface,
       g_param_spec_flags ("tls-validation-flags", "TLS validation flags",
           "TLS validation flags to use", G_TYPE_TLS_CERTIFICATE_FLAGS,
diff --git a/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c b/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c
index 2a20b5b742..f743637a64 100644
--- a/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c
+++ b/subprojects/gst-plugins-bad/gst/rtmp2/rtmp/rtmpclient.c
@@ -426,8 +426,10 @@ socket_connect (GTask * task)
       GST_DEBUG ("Configuring TLS, validation flags 0x%02x",
           data->location.tls_flags);
       g_socket_client_set_tls (socket_client, TRUE);
+      G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
       g_socket_client_set_tls_validation_flags (socket_client,
           data->location.tls_flags);
+      G_GNUC_END_IGNORE_DEPRECATIONS;
       break;
 
     default:
diff --git a/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c b/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c
index 42bd4101a7..1dfeed1c23 100644
--- a/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/rtsp/gstrtspconnection.c
@@ -643,6 +643,15 @@ gst_rtsp_connection_get_tls (GstRTSPConnection * conn, GError ** error)
  * Sets the TLS validation flags to be used to verify the peer
  * certificate when a TLS connection is established.
  *
+ * GLib guarantees that if certificate verification fails, at least one error
+ * will be set, but it does not guarantee that all possible errors will be
+ * set. Accordingly, you may not safely decide to ignore any particular type
+ * of error.
+ *
+ * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+ * you want to allow expired certificates, because this could potentially be
+ * the only error flag set even if other problems exist with the certificate.
+ *
  * Returns: TRUE if the validation flags are set correctly, or FALSE if
  * @conn is NULL or is not a TLS connection.
  *
@@ -657,8 +666,10 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
   g_return_val_if_fail (conn != NULL, FALSE);
 
   res = g_socket_client_get_tls (conn->client);
+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
   if (res)
     g_socket_client_set_tls_validation_flags (conn->client, flags);
+  G_GNUC_END_IGNORE_DEPRECATIONS;
 
   return res;
 }
@@ -670,7 +681,16 @@ gst_rtsp_connection_set_tls_validation_flags (GstRTSPConnection * conn,
  * Gets the TLS validation flags used to verify the peer certificate
  * when a TLS connection is established.
  *
- * Returns: the validationg flags.
+ * GLib guarantees that if certificate verification fails, at least one error
+ * will be set, but it does not guarantee that all possible errors will be
+ * set. Accordingly, you may not safely decide to ignore any particular type
+ * of error.
+ *
+ * For example, it would be incorrect to ignore %G_TLS_CERTIFICATE_EXPIRED if
+ * you want to allow expired certificates, because this could potentially be
+ * the only error flag set even if other problems exist with the certificate.
+ *
+ * Returns: the validation flags.
  *
  * Since: 1.2.1
  */
@@ -679,7 +699,9 @@ gst_rtsp_connection_get_tls_validation_flags (GstRTSPConnection * conn)
 {
   g_return_val_if_fail (conn != NULL, 0);
 
+  G_GNUC_BEGIN_IGNORE_DEPRECATIONS;
   return g_socket_client_get_tls_validation_flags (conn->client);
+  G_GNUC_END_IGNORE_DEPRECATIONS;
 }
 
 /**
diff --git a/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c b/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c
index e41c7b7f3f..ca95536471 100644
--- a/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c
+++ b/subprojects/gst-plugins-good/gst/rtsp/gstrtspsrc.c
@@ -812,6 +812,16 @@ gst_rtspsrc_class_init (GstRTSPSrcClass * klass)
    * TLS certificate validation flags used to validate server
    * certificate.
    *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   *
    * Since: 1.2.1
    */
   g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
diff --git a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c
index bb3953c5ed..0c24542d04 100644
--- a/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c
+++ b/subprojects/gst-rtsp-server/gst/rtsp-sink/gstrtspclientsink.c
@@ -666,6 +666,16 @@ gst_rtsp_client_sink_class_init (GstRTSPClientSinkClass * klass)
    * TLS certificate validation flags used to validate server
    * certificate.
    *
+   * GLib guarantees that if certificate verification fails, at least one
+   * error will be set, but it does not guarantee that all possible errors
+   * will be set. Accordingly, you may not safely decide to ignore any
+   * particular type of error.
+   *
+   * For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if
+   * you want to allow expired certificates, because this could potentially be
+   * the only error flag set even if other problems exist with the
+   * certificate.
+   *
    */
   g_object_class_install_property (gobject_class, PROP_TLS_VALIDATION_FLAGS,
       g_param_spec_flags ("tls-validation-flags", "TLS validation flags",