From 98dd9aac129fbdf07f83da16b7307cb775ff8e66 Mon Sep 17 00:00:00 2001 From: sfan5 Date: Fri, 17 May 2024 10:06:42 +0200 Subject: [PATCH v2 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0 As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075 Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 9be817af5e..fbad23ab8c 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -163,6 +163,10 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_INTERNAL_ERROR: av_log(h, AV_LOG_ERROR, "Internal error encountered.\n"); break; + case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: + // This error only happens with TLSv1.3, we normally use mbedtls_ssl_get_verify_result(). + av_log(h, AV_LOG_ERROR, "Certificate verification failed.\n"); + break; case MBEDTLS_ERR_NET_CONN_RESET: av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n"); break; @@ -266,6 +270,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +#ifdef MBEDTLS_SSL_PROTO_TLS1_3 + // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really). + if (!shr->verify) { + av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n"); + mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2); + } +#endif + // not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); -- 2.45.1