[FFmpeg-devel] [PATCH] fix tls 1.2 when ffmpeg is compiled with openssl
Hendrik Leppkes
h.leppkes at gmail.com
Sat Oct 29 00:15:48 EEST 2016
On Fri, Oct 28, 2016 at 11:13 PM, Hendrik Leppkes <h.leppkes at gmail.com> wrote:
> On Fri, Oct 28, 2016 at 8:42 PM, Martin Larsson
> <martin.larsson2 at gmail.com> wrote:
>> Made by vpeter of the LibreELEC project.
>>
>> --- a/libavformat/tls_openssl.c 2016-10-28 18:52:40.526626700 +0200
>> +++ b/libavformat/tls_openssl.c 2016-10-28 19:21:41.520615426 +0200
>> @@ -233,7 +233,8 @@ static int tls_open(URLContext *h, const
>> if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
>> goto fail;
>>
>> - p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
>> TLSv1_client_method());
>> + //SSLv23_client_method allows to use TLS v1.2 protocol
>> + p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
>> SSLv23_client_method());
>> if (!p->ctx) {
>> av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(),
>> NULL));
>> ret = AVERROR(EIO);
>
> To ensure the same security restrictions apply as before, it should
> perhaps set the options to disable SSLv2/3 then?
>
> SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3)
>
> Otherwise looks fine, the API seems to be rather weird there.
>
Nevermind, there is another patch on the ML doing just this.
More information about the ffmpeg-devel
mailing list