From: Timo Rothenpieler <timo@rothenpieler.org>
To: ffmpeg-devel@ffmpeg.org
Cc: Timo Rothenpieler <timo@rothenpieler.org>
Subject: [FFmpeg-devel] [PATCH 07/14] avformat/tls_openssl: don't hardcode ciphers and curves for dtls
Date: Sun, 13 Jul 2025 21:24:41 +0200
Message-ID: <20250713192512.928390-7-timo@rothenpieler.org> (raw)
In-Reply-To: <20250713192512.928390-1-timo@rothenpieler.org>
---
libavformat/tls_openssl.c | 22 ----------------------
1 file changed, 22 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 8326762592..bb9a5b8054 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -776,15 +776,12 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
TLSShared *c = &p->tls_shared;
int ret = 0;
c->is_dtls = 1;
- const char* ciphers = "ALL";
/**
* The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c.
* The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c.
*/
const char* profiles = "SRTP_AES128_CM_SHA1_80";
- /* Refer to the test cases regarding these curves in the WebRTC code. */
- const char* curves = "X25519:P-256:P-384:P-521";
p->ctx = SSL_CTX_new(c->listen ? DTLS_server_method() : DTLS_client_method());
if (!p->ctx) {
@@ -792,25 +789,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
goto fail;
}
- /* For ECDSA, we could set the curves list. */
- if (SSL_CTX_set1_curves_list(p->ctx, curves) != 1) {
- av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set1_curves_list failed, curves=%s, %s\n",
- curves, openssl_get_error(p));
- ret = AVERROR(EINVAL);
- return ret;
- }
-
- /**
- * We activate "ALL" cipher suites to align with the peer's capabilities,
- * ensuring maximum compatibility.
- */
- if (SSL_CTX_set_cipher_list(p->ctx, ciphers) != 1) {
- av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set_cipher_list failed, ciphers=%s, %s\n",
- ciphers, openssl_get_error(p));
- ret = AVERROR(EINVAL);
- return ret;
- }
-
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-07-13 19:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 02/14] avformat/tls_openssl: force dtls handshake to be blocking Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 03/14] avformat/tls_openssl: don't abort if dtls has no key/cert set Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 04/14] avformat/tls_openssl: initialize DTLS context with correct method Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 05/14] avformat/tls_openssl: set default MTU if none is set Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 06/14] avformat/tls_openssl: properly limit written size to data mtu Timo Rothenpieler
2025-07-13 19:24 ` Timo Rothenpieler [this message]
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 08/14] avformat/tls_openssl: clean up peer verify logic in dtls mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 09/14] avformar/tls_openssl: use correct info callback in DTLS mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 10/14] avformat/tls_openssl: don't enable read_ahead in dtls mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 11/14] avformat/tls_openssl: properly free generated/read keys and certificates Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 12/14] avformat/tls_openssl: don't expose deprecated EC_KEY outside of its function Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 13/14] avformat/tls_openssl: make generating fingerprints optional Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 14/14] avformat/tls_openssl: automatically generate self-signed certificate when none is provided in listen mode Timo Rothenpieler
2025-07-15 11:57 ` [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr " Timo Rothenpieler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250713192512.928390-7-timo@rothenpieler.org \
--to=timo@rothenpieler.org \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git