Traneptora/FFmpeg
1
Fork 0
forked from FFmpeg/FFmpeg
Code Pull requests Activity

lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0

Browse source 
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.

ref: https://github.com/Mbed-TLS/mbedtls/issues/7075

Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
sfan5 2024-05-17 10:06:42 +02:00 committed by Anton Khirnov
parent ab8f7030bc
commit c28e5b597e
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
libavformat/tls_mbedtls.c
View file

@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail;
}
#ifdef MBEDTLS_SSL_PROTO_TLS1_3
// mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
if (!shr->verify) {
av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
}
#endif
// not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);