[FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
Anton Khirnov
anton at khirnov.net
Thu Dec 30 13:03:59 EET 2021
Quoting sfan5 (2021-12-29 23:12:37)
> On 29.12.2021 at 21:02 Anton Khirnov wrote:
> > Quoting sfan5 (2021-12-13 21:55:41)
> >> If ca_file was set, setting tls_verify=0 would not actually disable
> >> verification.
> >>
> >> From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001
> >> From: sfan5 <sfan5 at live.de>
> >> Date: Mon, 13 Dec 2021 21:35:40 +0100
> >> Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
> >>
> >> If ca_file was set, setting tls_verify=0 would not actually disable verification.
> >> ---
> >> libavformat/tls_mbedtls.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
> >> index aadf17760d..5754d0d018 100644
> >> --- a/libavformat/tls_mbedtls.c
> >> +++ b/libavformat/tls_mbedtls.c
> >> @@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
> >> }
> >>
> >> mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
> >> - shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
> >> + shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
> >> mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
> >> mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
> >>
> >> --
> >> 2.34.1
> > What will happen if verify=1, but ca_file is not set?
> >
> The verification fails as expected and mbedtls_ssl_handshake returns an
> error, just tested.
Then patch looks good
--
Anton Khirnov
More information about the ffmpeg-devel
mailing list