[FFmpeg-devel] [PATCH 4/4] lavf/tls: verify TLS connections by default whenever possible
Moritz Barsnick
barsnick at gmx.net
Wed Jun 3 10:32:22 EEST 2020
On Fri, May 29, 2020 at 22:57:53 -0500, rcombs wrote:
> {"cafile", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
> - {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
> + {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = -1 }, -1, 1, .flags = TLS_OPTFL }, \
> {"cert_file", "Certificate file", offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
Strictly speaking, this is a change in behavior, so I would at least
appreciate a version bump.
The reasoning is that some hosts which used to work will stop doing so,
namely those with self-signed (untrusted) certificates, expired
certificates, and for clients with an outdated CA certificates store.
Yes, this new behavior is desired, but it suddenly "breaks stuff".
Cheers,
Moritz
More information about the ffmpeg-devel
mailing list