From 9df718654e45eb02c1f2b3f29b4554a6a90900ef Mon Sep 17 00:00:00 2001 From: sfan5 <sf...@live.de> Date: Fri, 17 May 2024 10:06:42 +0200 Subject: [PATCH v3 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075 Signed-off-by: sfan5 <sf...@live.de> --- libavformat/tls_mbedtls.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 91e93fb862..567b95b129 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +#ifdef MBEDTLS_SSL_PROTO_TLS1_3 + // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really). + if (!shr->verify) { + av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n"); + mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2); + } +#endif + // not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); -- 2.45.2
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
