Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed

* Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
       [not found] <DB9PR09MB5212F20AA1CC818151577A11EC749@DB9PR09MB5212.eurprd09.prod.outlook.com>
@ 2021-12-27 11:52 ` sfan5
  2021-12-29 20:02 ` Anton Khirnov
  2021-12-30 17:44 ` Jan Ekström
  2 siblings, 0 replies; 5+ messages in thread
From: sfan5 @ 2021-12-27 11:52 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

ping. I'll look at getting this pushed in a few days if there are no 
objections.

> If ca_file was set, setting tls_verify=0 would not actually disable 
> verification.
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
@ 2021-12-29 20:02 ` Anton Khirnov
  2021-12-29 22:12   ` sfan5
  2021-12-30 11:03   ` Anton Khirnov
  0 siblings, 2 replies; 5+ messages in thread
From: Anton Khirnov @ 2021-12-29 20:02 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

Quoting sfan5 (2021-12-13 21:55:41)
> If ca_file was set, setting tls_verify=0 would not actually disable 
> verification.
> 
> From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001
> From: sfan5 <sfan5@live.de>
> Date: Mon, 13 Dec 2021 21:35:40 +0100
> Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
> 
> If ca_file was set, setting tls_verify=0 would not actually disable verification.
> ---
>  libavformat/tls_mbedtls.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
> index aadf17760d..5754d0d018 100644
> --- a/libavformat/tls_mbedtls.c
> +++ b/libavformat/tls_mbedtls.c
> @@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
>      }
>  
>      mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
> -                              shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
> +                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
>      mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
>      mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
>  
> -- 
> 2.34.1

What will happen if verify=1, but ca_file is not set?

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
  2021-12-29 20:02 ` Anton Khirnov
@ 2021-12-29 22:12   ` sfan5
  2021-12-30 11:03   ` Anton Khirnov
  1 sibling, 0 replies; 5+ messages in thread
From: sfan5 @ 2021-12-29 22:12 UTC (permalink / raw)
  To: ffmpeg-devel

On 29.12.2021 at 21:02 Anton Khirnov wrote:
> Quoting sfan5 (2021-12-13 21:55:41)
>> If ca_file was set, setting tls_verify=0 would not actually disable
>> verification.
>>
>>  From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001
>> From: sfan5 <sfan5@live.de>
>> Date: Mon, 13 Dec 2021 21:35:40 +0100
>> Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
>>
>> If ca_file was set, setting tls_verify=0 would not actually disable verification.
>> ---
>>   libavformat/tls_mbedtls.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
>> index aadf17760d..5754d0d018 100644
>> --- a/libavformat/tls_mbedtls.c
>> +++ b/libavformat/tls_mbedtls.c
>> @@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
>>       }
>>   
>>       mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
>> -                              shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
>> +                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
>>       mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
>>       mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
>>   
>> -- 
>> 2.34.1
> What will happen if verify=1, but ca_file is not set?
>
The verification fails as expected and mbedtls_ssl_handshake returns an 
error, just tested.

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
  2021-12-29 20:02 ` Anton Khirnov
  2021-12-29 22:12   ` sfan5
@ 2021-12-30 11:03   ` Anton Khirnov
  1 sibling, 0 replies; 5+ messages in thread
From: Anton Khirnov @ 2021-12-30 11:03 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

Quoting sfan5 (2021-12-29 23:12:37)
> On 29.12.2021 at 21:02 Anton Khirnov wrote:
> > Quoting sfan5 (2021-12-13 21:55:41)
> >> If ca_file was set, setting tls_verify=0 would not actually disable
> >> verification.
> >>
> >>  From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001
> >> From: sfan5 <sfan5@live.de>
> >> Date: Mon, 13 Dec 2021 21:35:40 +0100
> >> Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
> >>
> >> If ca_file was set, setting tls_verify=0 would not actually disable verification.
> >> ---
> >>   libavformat/tls_mbedtls.c | 2 +-
> >>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
> >> index aadf17760d..5754d0d018 100644
> >> --- a/libavformat/tls_mbedtls.c
> >> +++ b/libavformat/tls_mbedtls.c
> >> @@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
> >>       }
> >>   
> >>       mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
> >> -                              shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
> >> +                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
> >>       mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
> >>       mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
> >>   
> >> -- 
> >> 2.34.1
> > What will happen if verify=1, but ca_file is not set?
> >
> The verification fails as expected and mbedtls_ssl_handshake returns an 
> error, just tested.

Then patch looks good

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
       [not found] <DB9PR09MB5212F20AA1CC818151577A11EC749@DB9PR09MB5212.eurprd09.prod.outlook.com>
  2021-12-27 11:52 ` [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0 sfan5
  2021-12-29 20:02 ` Anton Khirnov
@ 2021-12-30 17:44 ` Jan Ekström
  2 siblings, 0 replies; 5+ messages in thread
From: Jan Ekström @ 2021-12-30 17:44 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

On Mon, Dec 13, 2021 at 10:55 PM sfan5 <sfan5@live.de> wrote:
>
> If ca_file was set, setting tls_verify=0 would not actually disable
> verification.

Applied to master as 65197e9c98f46a79dd02c993cfcb0e70f65878cf .

Jan
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-12-30 17:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <DB9PR09MB5212F20AA1CC818151577A11EC749@DB9PR09MB5212.eurprd09.prod.outlook.com>
2021-12-27 11:52 ` [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0 sfan5
2021-12-29 20:02 ` Anton Khirnov
2021-12-29 22:12   ` sfan5
2021-12-30 11:03   ` Anton Khirnov
2021-12-30 17:44 ` Jan Ekström

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git