lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version

Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.

ref: c28e5b597e
Signed-off-by: sfan5 <sfan5@live.de>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
sfan5 2024-09-04 17:56:05 +02:00 committed by Anton Khirnov
parent 5c66a3ab51
commit e66f977494

View File

@ -270,8 +270,8 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
}
#ifdef MBEDTLS_SSL_PROTO_TLS1_3
// mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
if (!shr->verify) {
// this version does not allow disabling certificate verification with TLSv1.3 (yes, really).
if (mbedtls_version_get_number() == 0x03060000 && !shr->verify) {
av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
}