From: sfan5 <sfan5@live.de>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0
Date: Tue, 11 Jun 2024 18:17:00 +0200
Message-ID: <DU0PR03MB9567EEBBF42FB86F38314372ECC72@DU0PR03MB9567.eurprd03.prod.outlook.com> (raw)
In-Reply-To: <171811817188.28895.14156769467014850780@lain.khirnov.net>
Am 11.06.24 um 17:02 schrieb Anton Khirnov:
> Quoting Sfan5 (2024-05-17 10:34:50)
>> As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate
>> verification
>> is now mandatory. Our default configuration does not do verification, so
>> downgrade to 1.2 in these situations to avoid breaking it.
>>
>> ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
>> Signed-off-by: sfan5 <sfan5@live.de>
>> ---
> Would it not be simpler to simply set authmode to
> MBEDTLS_SSL_VERIFY_OPTIONAL unconditionally, then just disregard the
> verification result?
>
That's the thing and it's exactly as stupid as it sounds: When using
TLSv1.3 it will ignore the MBEDTLS_SSL_VERIFY mode entirely.
If the verification doesn't pass the handshake fails and you don't get
an usable connection. I'm hoping the mbedTLS devs realize at some point
how nonviable this is and fix it but as of right now this is the only
way to not have ffmpeg "randomly" (depending on if the server speaks
TLSv1.3) fail with mbedTLS 3.6.0.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-06-11 16:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-17 8:34 Sfan5
2024-06-11 15:02 ` Anton Khirnov
2024-06-11 16:17 ` sfan5 [this message]
2024-06-18 5:24 ` Anton Khirnov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DU0PR03MB9567EEBBF42FB86F38314372ECC72@DU0PR03MB9567.eurprd03.prod.outlook.com \
--to=sfan5@live.de \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git