[FFmpeg-devel] [PATCH 1/4] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0

[rcombs]

---
 libavformat/tls_openssl.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 002197fa76..d66845cf48 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -272,8 +272,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         ret = AVERROR(EIO);
         goto fail;
     }
-    // Note, this doesn't check that the peer certificate actually matches
-    // the requested hostname.
     if (c->verify)
         SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
     p->ssl = SSL_new(p->ctx);
@@ -297,8 +295,18 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     bio->ptr = c->tcp;
 #endif
     SSL_set_bio(p->ssl, bio, bio);
-    if (!c->listen && !c->numerichost)
+    if (!c->listen && !c->numerichost) {
         SSL_set_tlsext_host_name(p->ssl, c->host);
+        if (c->verify)
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+            SSL_set1_host(p->ssl, c->host);
+#else
+            av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n"
+                                      "which doesn't provide peer name verification, so this connection\n"
+                                      "will be made insecurely. To make this connection securely,\n"
+                                      "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n");
+#endif
+    }
     ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
     if (ret == 0) {
         av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
-- 
2.26.2