[FFmpeg-devel] [PATCH 4/4] lavf/tls: verify TLS connections by default whenever possible
Ridley Combs
rcombs at rcombs.me
Wed Jun 3 10:40:53 EEST 2020
> On Jun 3, 2020, at 02:32, Moritz Barsnick <barsnick at gmx.net> wrote:
>
> On Fri, May 29, 2020 at 22:57:53 -0500, rcombs wrote:
>> {"cafile", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
>> - {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
>> + {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = -1 }, -1, 1, .flags = TLS_OPTFL }, \
>> {"cert_file", "Certificate file", offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
>
> Strictly speaking, this is a change in behavior, so I would at least
> appreciate a version bump.
>
> The reasoning is that some hosts which used to work will stop doing so,
> namely those with self-signed (untrusted) certificates, expired
> certificates, and for clients with an outdated CA certificates store.
> Yes, this new behavior is desired, but it suddenly "breaks stuff".
Reasonable; what level should it be? I'd guess a minor bump? Though traditionally AVOption changes are micro.
>
> Cheers,
> Moritz
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list