From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 6A81349734
	for <ffmpegdev@gitmailbox.com>; Tue, 18 Jun 2024 05:24:45 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CC8E868D70E;
	Tue, 18 Jun 2024 08:24:42 +0300 (EEST)
Received: from mail0.khirnov.net (red.khirnov.net [176.97.15.12])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0537C68D59D
 for <ffmpeg-devel@ffmpeg.org>; Tue, 18 Jun 2024 08:24:36 +0300 (EEST)
Authentication-Results: mail0.khirnov.net; dkim=pass (2048-bit key;
 unprotected) header.d=khirnov.net header.i=@khirnov.net header.a=rsa-sha256
 header.s=mail header.b=srGoIUkX; dkim-atps=neutral
Received: from localhost (localhost [IPv6:::1])
 by mail0.khirnov.net (Postfix) with ESMTP id AE63C240DAC
 for <ffmpeg-devel@ffmpeg.org>; Tue, 18 Jun 2024 07:24:35 +0200 (CEST)
Received: from mail0.khirnov.net ([IPv6:::1])
 by localhost (mail0.khirnov.net [IPv6:::1]) (amavis, port 10024) with ESMTP
 id QrkdvbAuBTak for <ffmpeg-devel@ffmpeg.org>;
 Tue, 18 Jun 2024 07:24:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=khirnov.net; s=mail;
 t=1718688275; bh=DWZGuGvLfK8EQdNAnLxygPuPDwxsGrvn+mLw0Vm1t3w=;
 h=Subject:From:To:In-Reply-To:References:Date:From;
 b=srGoIUkXPTVo4WMrB8z6SDvebtEpqHbW/Yo3TgK3smzlAKZF0ASBh9DxEEk41ascF
 KZE9T9gTAjvD0HBop+XiQcf9bgRu2rxIyVIqNO8CN2Az86jwZPCCLQzXkW2f7bwaGl
 yrHkSxU3bH7ZdrB9mw44J5tEeZTuVaviP/gWmXVW7vRSfIaFLWn8HWh0iZna/kNGN4
 65cIh2A74GVVTZYBUyDKkiFZstRJBf1H3YHNZPzQ6DPeDhKmAU/Ipri/kGWxWNR3uQ
 gayWOoqexxgK1I5cvOzFw3VHvSyKzNhdTKV5hL4YtXCuWk8DWRXiWpfqByexzdlJc5
 kRUEN4GStOKOg==
Received: from lain.khirnov.net (lain.khirnov.net [IPv6:2001:67c:1138:4306::3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "lain.khirnov.net", Issuer "smtp.khirnov.net SMTP CA" (verified OK))
 by mail0.khirnov.net (Postfix) with ESMTPS id 07ACA2404E5
 for <ffmpeg-devel@ffmpeg.org>; Tue, 18 Jun 2024 07:24:35 +0200 (CEST)
Received: by lain.khirnov.net (Postfix, from userid 1000)
 id E66A31601B9; Tue, 18 Jun 2024 07:24:34 +0200 (CEST)
From: Anton Khirnov <anton@khirnov.net>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
In-Reply-To: <DU0PR03MB9567EEBBF42FB86F38314372ECC72@DU0PR03MB9567.eurprd03.prod.outlook.com>
References: <DU0PR03MB9567BE0789EACC480C6CB098ECEE2@DU0PR03MB9567.eurprd03.prod.outlook.com>
 <171811817188.28895.14156769467014850780@lain.khirnov.net>
 <DU0PR03MB9567EEBBF42FB86F38314372ECC72@DU0PR03MB9567.eurprd03.prod.outlook.com>
Mail-Followup-To: FFmpeg development discussions and patches
 <ffmpeg-devel@ffmpeg.org>
Date: Tue, 18 Jun 2024 07:24:34 +0200
Message-ID: <171868827491.28895.5099830206567213249@lain.khirnov.net>
User-Agent: alot/0.8.1
MIME-Version: 1.0
Subject: Re: [FFmpeg-devel] [PATCH 6/6] lavf/tls_mbedtls: add workaround for
 TLSv1.3 vs. verify=0
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/171868827491.28895.5099830206567213249@lain.khirnov.net/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Quoting sfan5 (2024-06-11 18:17:00)
> Am 11.06.24 um 17:02 schrieb Anton Khirnov:
> > Quoting Sfan5 (2024-05-17 10:34:50)
> >> As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate
> >> verification
> >> is now mandatory. Our default configuration does not do verification, so
> >> downgrade to 1.2 in these situations to avoid breaking it.
> >>
> >> ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
> >> Signed-off-by: sfan5 <sfan5@live.de>
> >> ---
> > Would it not be simpler to simply set authmode to
> > MBEDTLS_SSL_VERIFY_OPTIONAL unconditionally, then just disregard the
> > verification result?
> >
> That's the thing and it's exactly as stupid as it sounds: When using 
> TLSv1.3 it will ignore the MBEDTLS_SSL_VERIFY mode entirely.
> 
> If the verification doesn't pass the handshake fails and you don't get 
> an usable connection. I'm hoping the mbedTLS devs realize at some point 
> how nonviable this is and fix it but as of right now this is the only 
> way to not have ffmpeg "randomly" (depending on if the server speaks 
> TLSv1.3) fail with mbedTLS 3.6.0.

uh...that sure is...special

Patch pushed then.

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".