[FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version
Marvin Scholz
epirat07 at gmail.com
Wed Jun 25 22:59:16 EEST 2025
Using SSL_CTX_set_options to disallow specific versions is
discouraged by the documentation, which recommends to use
SSL_CTX_set_min_proto_version instead.
---
libavformat/tls_openssl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 72ee36e7af..e10ccf1cb8 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -901,7 +901,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
ret = AVERROR(EIO);
goto fail;
}
- SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ if (!SSL_CTX_set_min_proto_version(p->ctx, TLS1_VERSION)) {
+ av_log(h, AV_LOG_ERROR, "Failed to set minimum TLS version to TLSv1\n");
+ ret = AVERROR_EXTERNAL;
+ goto fail;
+ }
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
// Note, this doesn't check that the peer certificate actually matches
--
2.39.5 (Apple Git-154)
More information about the ffmpeg-devel
mailing list