[FFmpeg-devel] [PATCH v3 1/3] avformat/tls_openssl: add hostname for verification
Marvin Scholz
epirat07 at gmail.com
Thu Jul 10 13:55:52 EEST 2025
On 8 Jul 2025, at 20:53, Marvin Scholz wrote:
> From: Daniel N Pettersson <danielnp at axis.com>
>
> When verification is enabled (using -tls_verify 1) now
> the hostname will be verified properly too, while before
> only other aspects of the certificate were checked.
>
> Co-Authored-By: Marvin Scholz <epirat07 at gmail.com>
> ---
> libavformat/tls_openssl.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
> index a0fa3285d5..7f10d80f9e 100644
> --- a/libavformat/tls_openssl.c
> +++ b/libavformat/tls_openssl.c
> @@ -906,8 +906,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
> }
> ret = openssl_init_ca_key_cert(h);
> if (ret < 0) goto fail;
> - // Note, this doesn't check that the peer certificate actually matches
> - // the requested hostname.
> +
> if (c->verify)
> SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
> p->ssl = SSL_new(p->ctx);
> @@ -921,8 +920,15 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
> ret = init_bio_method(h);
> if (ret < 0)
> goto fail;
> - if (!c->listen && !c->numerichost)
> + if (!c->listen && !c->numerichost) {
> + if (!SSL_set1_host(p->ssl, c->host)) {
> + av_log(h, AV_LOG_ERROR, "Failed to set hostname for TLS/SSL verification: %s\n",
> + openssl_get_error(p));
> + ret = AVERROR_EXTERNAL;
> + goto fail;
> + }
> SSL_set_tlsext_host_name(p->ssl, c->host);
> + }
> ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
> if (ret == 0) {
> av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
> --
> 2.39.5 (Apple Git-154)
Planning to push the set tomorrow, if there are no objections.
More information about the ffmpeg-devel
mailing list