From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 4F38F40CE4 for ; Thu, 30 Dec 2021 11:04:08 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 34CAF68AEC9; Thu, 30 Dec 2021 13:04:06 +0200 (EET) Received: from mail0.khirnov.net (red.khirnov.net [176.97.15.12]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B204968AC54 for ; Thu, 30 Dec 2021 13:04:00 +0200 (EET) Received: from localhost (localhost [IPv6:::1]) by mail0.khirnov.net (Postfix) with ESMTP id 26DAB24017C for ; Thu, 30 Dec 2021 12:04:00 +0100 (CET) Received: from mail0.khirnov.net ([IPv6:::1]) by localhost (mail0.khirnov.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id P1uoUayhCV89 for ; Thu, 30 Dec 2021 12:03:59 +0100 (CET) Received: from lain.red.khirnov.net (lain.red.khirnov.net [IPv6:2001:67c:1138:4306::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "lain.red.khirnov.net", Issuer "smtp.khirnov.net SMTP CA" (verified OK)) by mail0.khirnov.net (Postfix) with ESMTPS id 3C554240179 for ; Thu, 30 Dec 2021 12:03:59 +0100 (CET) Received: by lain.red.khirnov.net (Postfix, from userid 1000) id 65BF116008E; Thu, 30 Dec 2021 12:03:59 +0100 (CET) From: Anton Khirnov To: FFmpeg development discussions and patches In-Reply-To: =?utf-8?q?=3CDB9PR09MB521280779042915CB11BDC14EC449=40DB9PR09MB?= =?utf-8?q?5212=2Eeurprd09=2Eprod=2Eoutlook=2Ecom=3E?= References: =?utf-8?q?=3CDB9PR09MB5212F20AA1CC818151577A11EC749=40DB9PR09MB5?= =?utf-8?q?212=2Eeurprd09=2Eprod=2Eoutlook=2Ecom=3E?= <164080817914.2375.562798804139035140@lain.red.khirnov.net> =?utf-8?q?=3CDB?= =?utf-8?q?9PR09MB521280779042915CB11BDC14EC449=40DB9PR09MB5212=2Eeurprd09?= =?utf-8?q?=2Eprod=2Eoutlook=2Ecom=3E?= Mail-Followup-To: FFmpeg development discussions and patches Date: Thu, 30 Dec 2021 12:03:59 +0100 Message-ID: <164086223930.2375.12892810171860073873@lain.red.khirnov.net> User-Agent: alot/0.8.1 MIME-Version: 1.0 Subject: Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Quoting sfan5 (2021-12-29 23:12:37) > On 29.12.2021 at 21:02 Anton Khirnov wrote: > > Quoting sfan5 (2021-12-13 21:55:41) > >> If ca_file was set, setting tls_verify=0 would not actually disable > >> verification. > >> > >> From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001 > >> From: sfan5 > >> Date: Mon, 13 Dec 2021 21:35:40 +0100 > >> Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0 > >> > >> If ca_file was set, setting tls_verify=0 would not actually disable verification. > >> --- > >> libavformat/tls_mbedtls.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c > >> index aadf17760d..5754d0d018 100644 > >> --- a/libavformat/tls_mbedtls.c > >> +++ b/libavformat/tls_mbedtls.c > >> @@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op > >> } > >> > >> mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, > >> - shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); > >> + shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); > >> mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); > >> mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); > >> > >> -- > >> 2.34.1 > > What will happen if verify=1, but ca_file is not set? > > > The verification fails as expected and mbedtls_ssl_handshake returns an > error, just tested. Then patch looks good -- Anton Khirnov _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".