[FFmpeg-cvslog] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version

sfan5 Sun, 15 Sep 2024 04:52:28 -0700

ffmpeg | branch: master | sfan5 <sf...@live.de> | Wed Sep  4 17:56:05 2024 
+0200| [e66f977494a2ff780f4d44d767e8e6cd74cdf14f] | committer: Anton Khirnov


lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version

Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this 
regression.

ref: c28e5b597ecc34188427347ad8d773bf9a0176cd
Signed-off-by: sfan5 <sf...@live.de>
Signed-off-by: Anton Khirnov <an...@khirnov.net>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e66f977494a2ff780f4d44d767e8e6cd74cdf14f
---

 libavformat/tls_mbedtls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 567b95b129..e802c6b872 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -270,8 +270,8 @@ static int tls_open(URLContext *h, const char *uri, int 
flags, AVDictionary **op
     }
 
 #ifdef MBEDTLS_SSL_PROTO_TLS1_3
-    // mbedTLS does not allow disabling certificate verification with TLSv1.3 
(yes, really).
-    if (!shr->verify) {
+    // this version does not allow disabling certificate verification with 
TLSv1.3 (yes, really).
+    if (mbedtls_version_get_number() == 0x03060000 && !shr->verify) {
         av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate 
verification is disabled\n");
         mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, 
MBEDTLS_SSL_VERSION_TLS1_2);
     }

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version

Reply via email to