[FFmpeg-devel] [PATCH 0/5] TLS/SSL improvements (round 2)

Peter Ross pross at xvid.org
Sun Jul 22 06:24:35 CEST 2012 

This is an updated set with doc and support for client/server cert verification.

doc/protocols.texi gives a simple use example. Below are three scripts that I have
used for testing:
- genkeys.sh - generate a dummy CA, and client and server certificates for testing
- ff_server.sh - serves up a test avi file
- ff_client.sh - connects to server and display file

Peter Ross (5):
  tls: cafile, cert, key options
  tls: verify option
  tls: parse uri path options to underlying tcp URLContext
  tls: TLS/SSL server
  tls: user documentation

 doc/protocols.texi |   42 ++++++++++++++++++++++++++++++
 libavformat/tls.c  |   73 ++++++++++++++++++++++++++++++++++++++++++++++------
 2 files changed, 107 insertions(+), 8 deletions(-)

---- genkeys.sh ---
#!/bin/sh
TMPDIR=$(mktemp -d)
CA_KEY=ca.key
CA_CRT=ca.crt
CLIENT_KEY=client.key
CLIENT_CRT=client.crt
SERVER_KEY=server.key
SERVER_CRT=server.crt

## 1) Generate Certificate Authority Certificate
openssl req -new -x509 -keyout $CA_KEY -out $CA_CRT -days 365 -subj '/CN=FFmpeg Test Root Certificate'

## 2a) Generate Private Keys
openssl genrsa -out $CLIENT_KEY 2048
openssl genrsa -out $SERVER_KEY 2048

## 3a) Generate Certificate Requests
CLIENT_REQ=$TMPDIR/client.req
SERVER_REQ=$TMPDIR/server.req
openssl req -out $CLIENT_REQ -key $CLIENT_KEY -new -subj '/CN=localhost/O=Acme Secure Client'
openssl req -out $SERVER_REQ -key $SERVER_KEY -new -subj '/CN=localhost/O=Acme Secure Server'

## 5) Sign Certificate Requests
date +%s > $TMPDIR/serial
openssl x509 -req -in $CLIENT_REQ -CA $CA_CRT -CAkey $CA_KEY -CAserial $TMPDIR/serial -extensions dir_sect -out $CLIENT_CRT
openssl x509 -req -in $SERVER_REQ -CA $CA_CRT -CAkey $CA_KEY -CAserial $TMPDIR/serial -extensions dir_sect -out $SERVER_CRT
----


---- ff_server.sh ---
#!/bin/sh
CAFILE=ca.crt
KEY=server.key
CERT=server.crt
VERIFY=1
log(){
    echo $*
    $*
}
log ./ffmpeg -f lavfi -graph testsrc -i test -f avi  "tls://localhost:4001?cafile=$CAFILE&key=$KEY&cert=$CERT&listen&verify=$VERIFY"
----


---- ff_client.sh ---
#!/bin/sh
CAFILE=ca.crt
KEY=client.key
CERT=client.crt
VERIFY=1
log(){
    echo $*
    $*
}
log ./ffplay "tls://localhost:4001?cafile=$CAFILE&key=$KEY&cert=$CERT&verify=$VERIFY"
----

-- 
1.7.10.4

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120722/0b031a30/attachment.asc>

More information about the ffmpeg-devel mailing list