ffmpeg | branch: master | sfan5 <sf...@live.de> | Mon May 13 20:27:17 2024 +0200| [1b1e9cadc5c4a4ea3a11d30f17ac7ac9f4018d8f] | committer: Anton Khirnov
lavf/tls_mbedtls: fix handling of certification validation failures We manually check the verification status after the handshake has completed using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED mbedtls_ssl_handshake() already returns an error, so this code is never reached. Fix that by using VERIFY_OPTIONAL, which performs the verification but does not abort the handshake. Signed-off-by: Anton Khirnov <an...@khirnov.net> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b1e9cadc5c4a4ea3a11d30f17ac7ac9f4018d8f --- libavformat/tls_mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index ba94ab3a70..f65f2f4020 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -269,8 +269,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } + // not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
