[FFmpeg-devel] [PATCH 1/3] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0
Rodger Combs
rodger.combs at gmail.com
Wed Aug 16 10:19:16 EEST 2017
---
libavformat/tls_openssl.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 38af8a21c0..50361d30e2 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -256,8 +256,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
ret = AVERROR(EIO);
goto fail;
}
- // Note, this doesn't check that the peer certificate actually matches
- // the requested hostname.
if (c->verify)
SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
p->ssl = SSL_new(p->ctx);
@@ -281,8 +279,18 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
bio->ptr = c->tcp;
#endif
SSL_set_bio(p->ssl, bio, bio);
- if (!c->listen && !c->numerichost)
+ if (!c->listen && !c->numerichost) {
SSL_set_tlsext_host_name(p->ssl, c->host);
+ if (c->verify)
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+ SSL_set1_host(p->ssl, c->host);
+#else
+ av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n"
+ "which doesn't provide peer name verification, so this connection\n"
+ "will be made insecurely. To make this connection securely,\n"
+ "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n");
+#endif
+ }
ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
if (ret == 0) {
av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
--
2.14.1
More information about the ffmpeg-devel
mailing list