mirror of https://git.ffmpeg.org/ffmpeg.git
lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075 Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
parent
ab8f7030bc
commit
c28e5b597e
|
@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
|
// mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
|
||||||
|
if (!shr->verify) {
|
||||||
|
av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
|
||||||
|
mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
// not VERIFY_REQUIRED because we manually check after handshake
|
// not VERIFY_REQUIRED because we manually check after handshake
|
||||||
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
|
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
|
||||||
shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
|
shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
|
||||||
|
|
Loading…
Reference in New Issue