[FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures
Michael Niedermayer
michael at niedermayer.cc
Sat May 18 22:53:54 EEST 2024
On Fri, May 17, 2024 at 10:34:41AM +0200, Sfan5 wrote:
> We manually check the verification status after the handshake has completed
> using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
> mbedtls_ssl_handshake() already returns an error, so this code is never
> reached.
> Fix that by using VERIFY_OPTIONAL, which performs the verification but
> does not abort the handshake.
>
> Signed-off-by: sfan5 <sfan5 at live.de>
> ---
> libavformat/tls_mbedtls.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
> index 9508fe3436..67d5c568b9 100644
> --- a/libavformat/tls_mbedtls.c
> +++ b/libavformat/tls_mbedtls.c
> @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int
> flags, AVDictionary **op
> goto fail;
> }
> + // not VERIFY_REQUIRED because we manually check after handshake
> mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
> - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED :
> MBEDTLS_SSL_VERIFY_NONE);
> + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL :
> MBEDTLS_SSL_VERIFY_NONE);
> mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random,
> &tls_ctx->ctr_drbg_context);
> mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert,
> NULL);
This patch looks corrupted by extra line breaks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
There will always be a question for which you do not know the correct answer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240518/44923af0/attachment.sig>
More information about the ffmpeg-devel
mailing list