[FFmpeg-cvslog] [ffmpeg] branch master updated. 5621eee672 avformat/tls: switch on peer certificate verification by default

ffmpeg-git at ffmpeg.org ffmpeg-git at ffmpeg.org
Sat Aug 9 03:39:00 EEST 2025 

The branch, master has been updated
       via  5621eee672391680f432075865e7580189ad0097 (commit)
      from  abf87f09cbc133a75369fe1514a6ebb811c74dff (commit)


- Log -----------------------------------------------------------------
commit 5621eee672391680f432075865e7580189ad0097
Author:     Timo Rothenpieler <timo at rothenpieler.org>
AuthorDate: Tue Aug 5 01:19:07 2025 +0200
Commit:     Timo Rothenpieler <timo at rothenpieler.org>
CommitDate: Sat Aug 9 00:38:17 2025 +0000

    avformat/tls: switch on peer certificate verification by default

diff --git a/Changelog b/Changelog
index 79aad17ffd..be36e137fa 100644
--- a/Changelog
+++ b/Changelog
@@ -4,6 +4,7 @@ releases are sorted from youngest to oldest.
 version <next>:
 - Whisper filter
 - Drop support for OpenSSL < 1.1.0
+- Enable TLS peer certificate verification by default (on next major version bump)
 - yasm support dropped, users need to use nasm
 - VVC VAAPI decoder
 - RealVideo 6.0 decoder
diff --git a/libavformat/tls.h b/libavformat/tls.h
index 0c02a4ab27..df384da604 100644
--- a/libavformat/tls.h
+++ b/libavformat/tls.h
@@ -25,6 +25,7 @@
 
 #include "libavutil/bprint.h"
 #include "libavutil/opt.h"
+#include "version.h"
 
 #include "url.h"
 
@@ -78,10 +79,16 @@ typedef struct TLSShared {
 
 #define TLS_OPTFL (AV_OPT_FLAG_DECODING_PARAM | AV_OPT_FLAG_ENCODING_PARAM)
 
+#if FF_API_NO_DEFAULT_TLS_VERIFY
+#define TLS_VERIFY_DEFAULT 0
+#else
+#define TLS_VERIFY_DEFAULT 1
+#endif
+
 #define FF_TLS_CLIENT_OPTIONS(pstruct, options_field) \
     {"ca_file",    "Certificate Authority database file", offsetof(pstruct, options_field . ca_file),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"cafile",     "Certificate Authority database file", offsetof(pstruct, options_field . ca_file),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
-    {"tls_verify", "Verify the peer certificate",         offsetof(pstruct, options_field . verify),    AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
+    {"tls_verify", "Verify the peer certificate",         offsetof(pstruct, options_field . verify),    AV_OPT_TYPE_INT, { .i64 = TLS_VERIFY_DEFAULT }, 0, 1, .flags = TLS_OPTFL }, \
     {"cert_file",  "Certificate file",                    offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"key_file",   "Private key file",                    offsetof(pstruct, options_field . key_file),  AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"verifyhost", "Verify against a specific hostname",  offsetof(pstruct, options_field . host),      AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }
diff --git a/libavformat/version_major.h b/libavformat/version_major.h
index 61338d339f..c2f6e1616b 100644
--- a/libavformat/version_major.h
+++ b/libavformat/version_major.h
@@ -45,6 +45,8 @@
 
 #define FF_API_INTERNAL_TIMING          (LIBAVFORMAT_VERSION_MAJOR < 63)
 
+#define FF_API_NO_DEFAULT_TLS_VERIFY    (LIBAVFORMAT_VERSION_MAJOR < 63)
+
 #define FF_API_R_FRAME_RATE            1
 
 #endif /* AVFORMAT_VERSION_MAJOR_H */

-----------------------------------------------------------------------

Summary of changes:
 Changelog                   | 1 +
 libavformat/tls.h           | 9 ++++++++-
 libavformat/version_major.h | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)


hooks/post-receive
--

More information about the ffmpeg-cvslog mailing list