[FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
sfan5
sfan5 at live.de
Thu Dec 30 00:12:37 EET 2021
On 29.12.2021 at 21:02 Anton Khirnov wrote:
> Quoting sfan5 (2021-12-13 21:55:41)
>> If ca_file was set, setting tls_verify=0 would not actually disable
>> verification.
>>
>> From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001
>> From: sfan5 <sfan5 at live.de>
>> Date: Mon, 13 Dec 2021 21:35:40 +0100
>> Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
>>
>> If ca_file was set, setting tls_verify=0 would not actually disable verification.
>> ---
>> libavformat/tls_mbedtls.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
>> index aadf17760d..5754d0d018 100644
>> --- a/libavformat/tls_mbedtls.c
>> +++ b/libavformat/tls_mbedtls.c
>> @@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
>> }
>>
>> mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
>> - shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
>> + shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
>> mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
>> mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
>>
>> --
>> 2.34.1
> What will happen if verify=1, but ca_file is not set?
>
The verification fails as expected and mbedtls_ssl_handshake returns an
error, just tested.
More information about the ffmpeg-devel
mailing list