From: sfan5 <sfan5@live.de>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH v3 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
Date: Tue, 4 Jun 2024 12:27:59 +0200
Message-ID: <DU0PR03MB9567E668735F33284FE87616ECF82@DU0PR03MB9567.eurprd03.prod.outlook.com> (raw)
[-- Attachment #1: v3-0006-lavf-tls_mbedtls-add-workaround-for-TLSv1.3-vs.-v.patch --]
[-- Type: text/x-patch, Size: 1496 bytes --]
From 9df718654e45eb02c1f2b3f29b4554a6a90900ef Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Fri, 17 May 2024 10:06:42 +0200
Subject: [PATCH v3 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
verify=0
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.
ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: sfan5 <sfan5@live.de>
---
libavformat/tls_mbedtls.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 91e93fb862..567b95b129 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail;
}
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+ // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+ if (!shr->verify) {
+ av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
+ mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
+ }
+#endif
+
// not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
--
2.45.2
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
reply other threads:[~2024-06-04 10:28 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DU0PR03MB9567E668735F33284FE87616ECF82@DU0PR03MB9567.eurprd03.prod.outlook.com \
--to=sfan5@live.de \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git