[FFmpeg-devel] [PATCH v2 4/6] WHIP: X509 cert serial number should be positive.

Jack Lau jacklau1222gm at gmail.com
Wed Jul 2 14:59:53 EEST 2025


From: winlin <winlinvip at gmail.com>

See RFC5280 4.1.2.2

Co-authored-by: winlin <winlinvip at gmail.com>
Signed-off-by: Jack Lau <jacklau1222 at qq.com>
---
 libavformat/tls_openssl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 2a3905891d..4733faec9c 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -316,7 +316,8 @@ static int openssl_gen_certificate(EVP_PKEY *pkey, X509 **cert, char **fingerpri
         goto enomem_end;
     }
 
-    serial = (int)av_get_random_seed();
+    // According to RFC5280 4.1.2.2, The serial number MUST be a positive integer
+    serial = (int)(av_get_random_seed() & 0x7FFFFFFF);
     if (ASN1_INTEGER_set(X509_get_serialNumber(*cert), serial) != 1) {
         av_log(NULL, AV_LOG_ERROR, "TLS: Failed to set serial, %s\n", ERR_error_string(ERR_get_error(), NULL));
         goto einval_end;
-- 
2.49.0



More information about the ffmpeg-devel mailing list