[FFmpeg-cvslog] avformat/tls_openssl: load default verify locations
Marvin Scholz
git at videolan.org
Tue Jul 22 03:58:46 EEST 2025
ffmpeg | branch: master | Marvin Scholz <epirat07 at gmail.com> | Tue Jul 8 20:05:47 2025 +0200| [080dc4cf5479d000b8ac66bbb93e72c70ec4dda8] | committer: Marvin Scholz
avformat/tls_openssl: load default verify locations
When no explicit CAs file is set, load the default locations,
else there is no way for verification to succeed.
This matches the behavior of other TLS backends.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=080dc4cf5479d000b8ac66bbb93e72c70ec4dda8
---
libavformat/tls_openssl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 49f26860b1..0a7998210f 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -740,6 +740,12 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
if (c->ca_file) {
if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", openssl_get_error(p));
+ } else {
+ if (!SSL_CTX_set_default_verify_paths(p->ctx)) {
+ // Only log the failure but do not error out, as this is not fatal
+ av_log(h, AV_LOG_WARNING, "Failure setting default verify locations: %s\n",
+ openssl_get_error(p));
+ }
}
if (c->cert_file) {
More information about the ffmpeg-cvslog
mailing list