From 57b37df52c7d528a1ce926cd7a7d75f62f6b46c6 Mon Sep 17 00:00:00 2001
From: sfan5 <sf...@live.de>
Date: Wed, 4 Sep 2024 17:56:05 +0200
Subject: [PATCH] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to
affected version
Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.
ref: c28e5b597ecc34188427347ad8d773bf9a0176cd
Signed-off-by: sfan5 <sf...@live.de>
---
libavformat/tls_mbedtls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 567b95b129..6dd807d5b6 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,8 +269,8 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail;
}
-#ifdef MBEDTLS_SSL_PROTO_TLS1_3
- // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && MBEDTLS_VERSION_NUMBER == 0x03060000
+ // this version does not allow disabling certificate verification with TLSv1.3 (yes, really).
if (!shr->verify) {
av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
--
2.46.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
