Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0

sfan5 Wed, 29 Dec 2021 14:13:02 -0800

On 29.12.2021 at 21:02 Anton Khirnov wrote:

Quoting sfan5 (2021-12-13 21:55:41)

If ca_file was set, setting tls_verify=0 would not actually disable
verification.


 From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001
From: sfan5 <sf...@live.de>
Date: Mon, 13 Dec 2021 21:35:40 +0100
Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0

If ca_file was set, setting tls_verify=0 would not actually disable 
verification.
---
  libavformat/tls_mbedtls.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index aadf17760d..5754d0d018 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int 
flags, AVDictionary **op
      }

mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,

-                              shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : 
MBEDTLS_SSL_VERIFY_NONE);
+                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : 
MBEDTLS_SSL_VERIFY_NONE);
      mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, 
&tls_ctx->ctr_drbg_context);
      mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);

--

2.34.1

What will happen if verify=1, but ca_file is not set?

The verification fails as expected and mbedtls_ssl_handshake returns anerror, just tested.


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0

Reply via email to