[FFmpeg-devel] [PATCH v2 3/3] avformat/tls_openssl: load default verify locations

Tue Jul 8 21:28:41 EEST 2025

When no explicit CAs file is set, load the default locations,
else there is no way for verification to succeed.

This matches the behavior of other TLS backends.
---
 libavformat/tls_openssl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 248d1eedf9..d360dd320c 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -698,6 +698,12 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
     if (c->ca_file) {
         if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
             av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", openssl_get_error(p));
+    } else {
+        if (!SSL_CTX_set_default_verify_paths(p->ctx)) {
+            // Only log the failure but do not error out, as this is not fatal
+            av_log(h, AV_LOG_WARNING, "Failure setting default verify locations: %s\n",
+                openssl_get_error(p));
+        }
     }
 
     if (c->cert_file) {
-- 
2.39.5 (Apple Git-154)

