[FFmpeg-cvslog] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0

sfan5 git at videolan.org
Tue Jun 18 08:24:05 EEST 2024


ffmpeg | branch: master | sfan5 <sfan5 at live.de> | Fri May 17 10:06:42 2024 +0200| [c28e5b597ecc34188427347ad8d773bf9a0176cd] | committer: Anton Khirnov

lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0

As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.

ref: https://github.com/Mbed-TLS/mbedtls/issues/7075

Signed-off-by: Anton Khirnov <anton at khirnov.net>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c28e5b597ecc34188427347ad8d773bf9a0176cd
---

 libavformat/tls_mbedtls.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 91e93fb862..567b95b129 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         goto fail;
     }
 
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+    // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+    if (!shr->verify) {
+        av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
+        mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
+    }
+#endif
+
     // not VERIFY_REQUIRED because we manually check after handshake
     mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
                               shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);



More information about the ffmpeg-cvslog mailing list