[FFmpeg-cvslog] avformat/tls_openssl: don't hardcode ciphers and curves for dtls

Timo Rothenpieler git at videolan.org
Wed Jul 16 20:07:18 EEST 2025 

ffmpeg | branch: master | Timo Rothenpieler <timo at rothenpieler.org> | Sun Jul 13 16:34:44 2025 +0200| [95fd0840feb2d0d37cf57045bf02b84244bc3f78] | committer: Timo Rothenpieler

avformat/tls_openssl: don't hardcode ciphers and curves for dtls

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95fd0840feb2d0d37cf57045bf02b84244bc3f78
---

 libavformat/tls_openssl.c | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 8326762592..bb9a5b8054 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -776,15 +776,12 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
     TLSShared *c = &p->tls_shared;
     int ret = 0;
     c->is_dtls = 1;
-    const char* ciphers = "ALL";
 
     /**
      * The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c.
      * The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c.
      */
     const char* profiles = "SRTP_AES128_CM_SHA1_80";
-    /* Refer to the test cases regarding these curves in the WebRTC code. */
-    const char* curves = "X25519:P-256:P-384:P-521";
 
     p->ctx = SSL_CTX_new(c->listen ? DTLS_server_method() : DTLS_client_method());
     if (!p->ctx) {
@@ -792,25 +789,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
         goto fail;
     }
 
-    /* For ECDSA, we could set the curves list. */
-    if (SSL_CTX_set1_curves_list(p->ctx, curves) != 1) {
-        av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set1_curves_list failed, curves=%s, %s\n",
-            curves, openssl_get_error(p));
-        ret = AVERROR(EINVAL);
-        return ret;
-    }
-
-    /**
-     * We activate "ALL" cipher suites to align with the peer's capabilities,
-     * ensuring maximum compatibility.
-     */
-    if (SSL_CTX_set_cipher_list(p->ctx, ciphers) != 1) {
-        av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set_cipher_list failed, ciphers=%s, %s\n",
-            ciphers, openssl_get_error(p));
-        ret = AVERROR(EINVAL);
-        return ret;
-    }
-
     ret = openssl_init_ca_key_cert(h);
     if (ret < 0) goto fail;

More information about the ffmpeg-cvslog mailing list