From: Timo Rothenpieler <timo@rothenpieler.org>
To: ffmpeg-devel@ffmpeg.org
Cc: Timo Rothenpieler <timo@rothenpieler.org>
Subject: [FFmpeg-devel] [PATCH 08/14] avformat/tls_openssl: clean up peer verify logic in dtls mode
Date: Sun, 13 Jul 2025 21:24:42 +0200
Message-ID: <20250713192512.928390-8-timo@rothenpieler.org> (raw)
In-Reply-To: <20250713192512.928390-1-timo@rothenpieler.org>
---
libavformat/tls_openssl.c | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index bb9a5b8054..a497d4dfd8 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -674,15 +674,6 @@ static void openssl_info_callback(const SSL *ssl, int where, int ret) {
}
}
-/**
- * Always return 1 to accept any certificate. This is because we allow the peer to
- * use a temporary self-signed certificate for DTLS.
- */
-static int openssl_dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-{
- return 1;
-}
-
static int dtls_handshake(URLContext *h)
{
int ret = 1, r0, r1;
@@ -792,13 +783,16 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
- /* Server will send Certificate Request. */
- SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, openssl_dtls_verify_callback);
- /* The depth count is "level 0:peer certificate", "level 1: CA certificate",
- * "level 2: higher level CA certificate", and so on. */
- SSL_CTX_set_verify_depth(p->ctx, 4);
+ /* Note, this doesn't check that the peer certificate actually matches the requested hostname. */
+ if (c->verify)
+ SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+
+ if (!c->listen && !c->numerichost)
+ SSL_set_tlsext_host_name(p->ssl, c->host);
+
/* Whether we should read as many input bytes as possible (for non-blocking reads) or not. */
SSL_CTX_set_read_ahead(p->ctx, 1);
+
/* Setup the SRTP context */
if (SSL_CTX_set_tlsext_use_srtp(p->ctx, profiles)) {
av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set_tlsext_use_srtp failed, profiles=%s, %s\n",
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-07-13 19:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 02/14] avformat/tls_openssl: force dtls handshake to be blocking Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 03/14] avformat/tls_openssl: don't abort if dtls has no key/cert set Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 04/14] avformat/tls_openssl: initialize DTLS context with correct method Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 05/14] avformat/tls_openssl: set default MTU if none is set Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 06/14] avformat/tls_openssl: properly limit written size to data mtu Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 07/14] avformat/tls_openssl: don't hardcode ciphers and curves for dtls Timo Rothenpieler
2025-07-13 19:24 ` Timo Rothenpieler [this message]
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 09/14] avformar/tls_openssl: use correct info callback in DTLS mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 10/14] avformat/tls_openssl: don't enable read_ahead in dtls mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 11/14] avformat/tls_openssl: properly free generated/read keys and certificates Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 12/14] avformat/tls_openssl: don't expose deprecated EC_KEY outside of its function Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 13/14] avformat/tls_openssl: make generating fingerprints optional Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 14/14] avformat/tls_openssl: automatically generate self-signed certificate when none is provided in listen mode Timo Rothenpieler
2025-07-15 11:57 ` [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr " Timo Rothenpieler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250713192512.928390-8-timo@rothenpieler.org \
--to=timo@rothenpieler.org \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git