[FFmpeg-devel] [PATCH v2 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.

From: sfan5 <sfan5@live.de>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH v2 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
Date: Wed, 29 May 2024 13:03:21 +0200
Message-ID: <DU0PR03MB9567ADBB2A919DBA7A64D616ECF22@DU0PR03MB9567.eurprd03.prod.outlook.com> (raw)

[-- Attachment #1: v2-0006-lavf-tls_mbedtls-add-workaround-for-TLSv1.3-vs.-v.patch --]
[-- Type: text/x-patch, Size: 2069 bytes --]

From 98dd9aac129fbdf07f83da16b7307cb775ff8e66 Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Fri, 17 May 2024 10:06:42 +0200
Subject: [PATCH v2 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
 verify=0

As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.

ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: sfan5 <sfan5@live.de>
---
 libavformat/tls_mbedtls.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 9be817af5e..fbad23ab8c 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -163,6 +163,10 @@ static void handle_handshake_error(URLContext *h, int ret)
     case MBEDTLS_ERR_SSL_INTERNAL_ERROR:
         av_log(h, AV_LOG_ERROR, "Internal error encountered.\n");
         break;
+    case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
+        // This error only happens with TLSv1.3, we normally use mbedtls_ssl_get_verify_result().
+        av_log(h, AV_LOG_ERROR, "Certificate verification failed.\n");
+        break;
     case MBEDTLS_ERR_NET_CONN_RESET:
         av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");
         break;
@@ -266,6 +270,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         goto fail;
     }
 
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+    // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+    if (!shr->verify) {
+        av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
+        mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
+    }
+#endif
+
     // not VERIFY_REQUIRED because we manually check after handshake
     mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
                               shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
-- 
2.45.1


[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
