The use of TLSv1_method() disallows newer protocol versions; instead
use SSLv23_method() and then explicitly disable the older versions
which should not be supported.
Fixes ticket #5915.
---
libavformat/tls_openssl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index c551ac7..7c9dd61 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -233,12 +233,13 @@ static int tls_open(URLContext *h, const char *uri, int
flags, AVDictionary **op
if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
goto fail;
- p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
TLSv1_client_method());
+ p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() :
SSLv23_client_method());
if (!p->ctx) {
av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(),
NULL));
ret = AVERROR(EIO);
goto fail;
}
+ SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
if (c->ca_file) {
if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n",
ERR_error_string(ERR_get_error(), NULL));
--
2.9.3
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
