From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id BC3F3410B1 for ; Sun, 13 Jul 2025 19:27:26 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id D757768E361; Sun, 13 Jul 2025 22:25:46 +0300 (EEST) Received: from btbn.de (btbn.de [144.76.60.213]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id DDED268E310 for ; Sun, 13 Jul 2025 22:25:27 +0300 (EEST) Received: from [authenticated] by btbn.de (Postfix) with ESMTPSA id C13FE27FD3771; Sun, 13 Jul 2025 21:25:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothenpieler.org; s=mail; t=1752434723; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5/iaO2GL4r3/5Q+eieaEK6MPss8e+UU793kGQioayFQ=; b=DAAO+pT1zsel2SVZ+Q9ZIQaCsLMVkY6ERY2auXvqx5/5yKj1fBQIfkjFLjbzUtcDDh1sty ALY3QAuHH9akC34M3WFd1t52DUEmgNOdbkuWFNxEoHJZHaVbTtEbRy/XFyRyrpCKePbq9d rv3q6+kDLZyo6aQQYt33vVLUhE1KghtvOR95yKG8UWCMnjp9RovbunbUOeDvs6lObDiwnp FkQ1HKKA8I0hF5LF9t1FdbKii9Be7UlW5cdtj0hdYPPo4BGyqfwdbm6cJS6rW4xfIGTsZ4 u2OVttzLYJl6f24kt3Ux63vonmtcEEE4GwALIIgTt0EmfRTcYJO0Rqe97KNiJg== From: Timo Rothenpieler To: ffmpeg-devel@ffmpeg.org Date: Sun, 13 Jul 2025 21:24:42 +0200 Message-ID: <20250713192512.928390-8-timo@rothenpieler.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250713192512.928390-1-timo@rothenpieler.org> References: <20250713192512.928390-1-timo@rothenpieler.org> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 08/14] avformat/tls_openssl: clean up peer verify logic in dtls mode X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --- libavformat/tls_openssl.c | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index bb9a5b8054..a497d4dfd8 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -674,15 +674,6 @@ static void openssl_info_callback(const SSL *ssl, int where, int ret) { } } -/** - * Always return 1 to accept any certificate. This is because we allow the peer to - * use a temporary self-signed certificate for DTLS. - */ -static int openssl_dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) -{ - return 1; -} - static int dtls_handshake(URLContext *h) { int ret = 1, r0, r1; @@ -792,13 +783,16 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** ret = openssl_init_ca_key_cert(h); if (ret < 0) goto fail; - /* Server will send Certificate Request. */ - SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, openssl_dtls_verify_callback); - /* The depth count is "level 0:peer certificate", "level 1: CA certificate", - * "level 2: higher level CA certificate", and so on. */ - SSL_CTX_set_verify_depth(p->ctx, 4); + /* Note, this doesn't check that the peer certificate actually matches the requested hostname. */ + if (c->verify) + SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + + if (!c->listen && !c->numerichost) + SSL_set_tlsext_host_name(p->ssl, c->host); + /* Whether we should read as many input bytes as possible (for non-blocking reads) or not. */ SSL_CTX_set_read_ahead(p->ctx, 1); + /* Setup the SRTP context */ if (SSL_CTX_set_tlsext_use_srtp(p->ctx, profiles)) { av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set_tlsext_use_srtp failed, profiles=%s, %s\n", -- 2.49.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".