[FFmpeg-devel] [PATCH v3 1/3] avformat/tls_openssl: add hostname for verification

[Marvin Scholz]

From: Daniel N Pettersson <danielnp at axis.com>

When verification is enabled (using -tls_verify 1) now
the hostname will be verified properly too, while before
only other aspects of the certificate were checked.

Co-Authored-By: Marvin Scholz <epirat07 at gmail.com>
---
 libavformat/tls_openssl.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index a0fa3285d5..7f10d80f9e 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -906,8 +906,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     }
     ret = openssl_init_ca_key_cert(h);
     if (ret < 0) goto fail;
-    // Note, this doesn't check that the peer certificate actually matches
-    // the requested hostname.
+
     if (c->verify)
         SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
     p->ssl = SSL_new(p->ctx);
@@ -921,8 +920,15 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     ret = init_bio_method(h);
     if (ret < 0)
         goto fail;
-    if (!c->listen && !c->numerichost)
+    if (!c->listen && !c->numerichost) {
+        if (!SSL_set1_host(p->ssl, c->host)) {
+            av_log(h, AV_LOG_ERROR, "Failed to set hostname for TLS/SSL verification: %s\n",
+                openssl_get_error(p));
+            ret = AVERROR_EXTERNAL;
+            goto fail;
+        }
         SSL_set_tlsext_host_name(p->ssl, c->host);
+    }
     ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
     if (ret == 0) {
         av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
-- 
2.39.5 (Apple Git-154)