| Message ID | DU0PR03MB9567BE0789EACC480C6CB098ECEE2@DU0PR03MB9567.eurprd03.prod.outlook.com |
|---|---|
| State | New |
| Headers | show
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a21:3a48:b0:1af:fc2d:ff5a with SMTP id
zu8csp2736083pzb;
Fri, 17 May 2024 01:36:52 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AJvYcCVb+MjcjlGxPhU9ZyNiIXhTujBqpLqWcDVKx4yk56mYvt+A0JXIABnPpLum8AHtcDNDCJWaPfRWX4jc0p+rP9OHitl/V4VhTDKAcg==
X-Google-Smtp-Source:
AGHT+IGX/qIKgaveBP4QUylSHyEMT6B68S2MAKEmQ5/u6zzROgqSuaA9QOcT5E8nRdcTp4ffgHlb
X-Received: by 2002:a50:cddc:0:b0:572:67ee:d3d9 with SMTP id
4fb4d7f45d1cf-5734d5ce8e7mr14448740a12.17.1715935012351;
Fri, 17 May 2024 01:36:52 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
by mx.google.com with ESMTP id
4fb4d7f45d1cf-574f50048c7si3241205a12.199.2024.05.17.01.36.52;
Fri, 17 May 2024 01:36:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@LIVE.DE
header.s=selector1 header.b=jC12H43q;
arc=fail (body hash mismatch);
spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
designates 79.124.17.100 as permitted sender)
smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=live.de
Received: from [127.0.1.1] (localhost [127.0.0.1])
by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D409B68D3DD;
Fri, 17 May 2024 11:36:22 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from EUR04-VI1-obe.outbound.protection.outlook.com
(mail-vi1eur04olkn2105.outbound.protection.outlook.com [40.92.75.105])
by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5241468D3C9
for <ffmpeg-devel@ffmpeg.org>; Fri, 17 May 2024 11:36:20 +0300 (EEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=c2ZpuMUEemaVwHbl7JjfRGKRKdeNCTq8ob3IlwE6JDb/iP0IpkqJi1VWz+a4SgzeRRXuRb3znVlCHKF9DbWnTRvcCgkIMnEe2AJAIIs5dhsQBXaCHojGKycSfmIbXVop49MFm/tAZ2OeVE+pMMKXKvP96Shn33KJSXIgsjNhItYK9uQxduiSl0cdDYU6Z5GH8BclSk2l6i6C9DD7hq6GzcFOyQWp201LtBuGn+0ddW+HryXZbmreyyj4isTo4gAlyZ4mIGXC2OtAVYHBJU09H44ETE6VG0A08U3MJoUvTq2IgoSb9vdB+nhMhQ1XVkt6rlhGB7OJSbz4TPZoaXtm2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=nZdvDxelLKeyQRoIHaYrBtY6wTBcQMpoK6K0pbhbTRI=;
b=DX/3sqrnup4lWH9nHl2YAv/1ScW3aSKyzSUfia/ct+m6dviuNJKtjXGBfWNxtontgBiq9rJvMGikUlWv1eVVxTTrYZJFGA9e9cAEDspj0SSJII79HSMoOSlhk+ALmErJwmAwMnogCnl3qQnto27dwIem/h8hQXbhUhQjHWGp200oMvLrbLmfndavJgza5pWT7Jn5TIMbG3Uw2FHnkwFXWt3vnBoFFrGieNJS2YCFUZYHKnAM9f8Aa7KalJJf7PQQNfLgU6u5pW+Xyf8o6nb/GRDbocZZSyp+f28DBmkP/AYzNoNYrDsv44wkJUuCBOxWnJWLQBpfoX5ptXO7ZyPBww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=LIVE.DE; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=nZdvDxelLKeyQRoIHaYrBtY6wTBcQMpoK6K0pbhbTRI=;
b=jC12H43qOAfD/S/2DEAJxl+je9YSc0jk5WpdJg729/lRsV0yZhSVVjrskW/tbPpSnElPai/scKzgdx/btvwrHMUVXt8ooiXOLOQapGgijCd7nJKcR1kXnGeKDmvYwUMo29xEgN1JAleXKgfXe2m2s6s/p2o1SoH4ygyqH1H3L6BQFrZdpubrzuDHePtak/zeduw7cDALC4ITBSBvm26ByFcp1Y8w03aO45GAs11S8EJwxQcXv3mPPqkUjkcQ8fLA8UnrDssjXWiP34IfipHFDe/mnYGKkgHnkoUUJjDmV8dSB1kwdmtR7Xw9MAs5qL/0i1eJk+zKR7vCjraqWGlk/w==
Received: from DU0PR03MB9567.eurprd03.prod.outlook.com (2603:10a6:10:41f::20)
by PR3PR03MB6442.eurprd03.prod.outlook.com (2603:10a6:102:70::6) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7611.12; Fri, 17 May
2024 08:35:55 +0000
Received: from DU0PR03MB9567.eurprd03.prod.outlook.com
([fe80::11d1:a48f:e0be:fc9f]) by DU0PR03MB9567.eurprd03.prod.outlook.com
([fe80::11d1:a48f:e0be:fc9f%5]) with mapi id 15.20.7544.041; Fri, 17 May 2024
08:35:55 +0000
Message-ID:
<DU0PR03MB9567BE0789EACC480C6CB098ECEE2@DU0PR03MB9567.eurprd03.prod.outlook.com>
Date: Fri, 17 May 2024 10:34:50 +0200
User-Agent: Mozilla Thunderbird
From: Sfan5 <sfan5@live.de>
To: ffmpeg-devel@ffmpeg.org
Content-Language: en-US, de-DE
X-TMN:
[USXN4nlt+04OhZ68K2KdiCt/OUpgWZG0/4zfXTdSZSdg/6iL2eQtqhffgTxAYsLeIjPpBxpWkIQ=]
X-ClientProxiedBy: FR0P281CA0247.DEUP281.PROD.OUTLOOK.COM
(2603:10a6:d10:af::16) To DU0PR03MB9567.eurprd03.prod.outlook.com
(2603:10a6:10:41f::20)
X-Microsoft-Original-Message-ID:
<0905a0e7-bdf9-4598-94ee-40173a9131b9@live.de>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR03MB9567:EE_|PR3PR03MB6442:EE_
X-MS-Office365-Filtering-Correlation-Id: 56b0b30d-65e3-4394-918b-08dc764c5e6f
X-Microsoft-Antispam: BCL:0;
ARA:14566002|461199019|3412199016|440099019|1602099003;
X-Microsoft-Antispam-Message-Info:
sRrQJOChCXAS6wpjfH3/DYeCKH24THT20frn6qy3b+OhvmIHU+rqpi5oMuBVq3XzGZhVl94k1hrEaqoi3Ow19NsxiRgwA3+pA2rFSsk48v6P6aplKNNCKQqApwiVa5c70ycLC7r8kG9+PbQIGI5QfUE3/yF0GhNdYfxuZ6K2oG/ry7QuWqtiWPRTJxGtU6vq8qzscUCaaYxRgpkWECN+gfMvqPeDVogCYTtzX+oQKyLsyqbEL2x6ik3wZRK3Q09hdWJVx5Jq6fskQ75hpie2+o/Z18QdZnT02wjQHBxvolAv3s1Xttvzmsj+PTzILtun+OfZWOmIe11n8WAJibkFS9xgCWgWqQemOTqzLiwLHmVk2Eb66PoWGxvNpXEq9bhWDw5u2Gm70YDBiRvOva8LS73SCP9hsVRp7YUKefg/Sv+FD39YUPXdd2N/7rgaDJhO1nY4MweLdH1EZ6CB2XtDX6lwNeJv4+8vINRwoqSb3xWLLHrtAVDFzkOyAKbcKhyw4H9s1OyKAW4ARnzrhRIZaGkv0j67CeLHCKDnItU7E79JNXx9lmIiAgEgBj1H3P/aX44zs64JKj1MiXG8XFtVJ5uim4QJg55IDc/sJPcAXKCFblnXo1b9E4c1SzYH1Ept01L3OtLRoRflwgLoz0J0g0jQXZ6VWByUbrBQBROBHQY=
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?FGdbs4lis/zIceBxaMeSlRxDg3Wi?=
=?utf-8?q?TAyCnRW/62ZWacOaVg+Cq8WtAKJ6Op6KuT4lLmp1ncY31Kmbo4edTf0Jz/itOBwUf?=
=?utf-8?q?BkvWq7EZe79cnR5pG42E8+stXtQJ32h8sI4P8FtmgB+PyqNjaqT39wceB56VdB02x?=
=?utf-8?q?pSe7APAYmYJVZwntfDoQav+F2nk6mIpp8hdQWbLgckCugsGN8xJISZpWY1flM/x0N?=
=?utf-8?q?bSpRZt5JdAbV6UW8WAgJzf/bTNs678/XGkcK/dAOfb+De8bTahUOqqbXmaJvvspBI?=
=?utf-8?q?efDi/Fhyg0EEl8UKlMbhAUKs3w4ryKlAnW6W+Vazz2hhuVbmcAlbt13iNIT6GnXVw?=
=?utf-8?q?gmUqPlpUzLK4wVTmBZoYNApGKxYJOxLgx13iert0adKJE86atNW4keir1geAlUR2F?=
=?utf-8?q?q7/jZDYZES8aMAWPnjfjx4LAyPgKXDzmvAPFFXG8GXBMS9/sByts+OMpyRS4Qwj7R?=
=?utf-8?q?nBDzaOTsh8yj1oLfaas4R+sWs5qmbXAdpNUBc4qiM/q1qVEysDSBrSMe0l0l4eKIU?=
=?utf-8?q?I06q3CtIqUTSItpBr33pQRjAbhRaUd4nuubLQRRxal9rbZGXUw7uwCv5xvEBuD5KI?=
=?utf-8?q?My0Ix1Xog/7Jea4Y2BsmCibQ4LPKA2hPrz2ybEG53+5jU9fScKxtRMhDMsdrG96pm?=
=?utf-8?q?gIY9PbPymwrjBwTkw0AuJ+oNYbps0hd8AsYFRlMsUP4BIok6uwlJbh3nxB4W0/QFK?=
=?utf-8?q?2YN21tPKDnqh6GE61jIOW408VHuiOMNue4ptIa33Eyl19B0AxtdDyDJo5c3sQE2ux?=
=?utf-8?q?259WsbWTLSo1VfOORk3BzjRGCgfQiWGLLwYJeB3+csTnJL5ovmMRa/37MBAdmLUS5?=
=?utf-8?q?COLmmIrtCkm/U0JcZTFTyW8Lj1TOrR1rkwszEdV8qJk+lkhf2iVyuaVmQh3LOc4VQ?=
=?utf-8?q?JQmC6hV+eMbMd14k4YlUgcb2pgLQFxRlSjLCq18tI9XV0MK97ZaUsV8yd/XwkxyC0?=
=?utf-8?q?Gv2PP2YOKdoJV0XcG/bJgwIVD671lImrHEsrs8m7kJF7n+maeVuTI97AHT9nGt3wq?=
=?utf-8?q?p3rPwLG8M+ZDIti6GLTBazGh8CKCULcvJtZzhb+RWsZLwFvXyWOyWEACqs8QI4H/8?=
=?utf-8?q?TbYc/SzAHnw6D2kP4e/qhiGj0EGGHkXSl0WYV6oledUrSsUOtnKM6NEdxziJ44buG?=
=?utf-8?q?ZMery3pb8+oHayrk6Cs/0jgqj/IrHCJqNyVHc/isHDh6IC+GQV+QBsfLdxiD3h/ue?=
=?utf-8?q?Z2SXMcCNhTzvGNadYa8/zPDSAlD/22og0udMHfmfZVx9Kq0zQpoIPeuknx3U=3D?=
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-76d7b.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id:
56b0b30d-65e3-4394-918b-08dc764c5e6f
X-MS-Exchange-CrossTenant-AuthSource: DU0PR03MB9567.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 May 2024 08:35:55.5406 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR03MB6442
Subject: [FFmpeg-devel] [PATCH 6/6] lavf/tls_mbedtls: add workaround for
TLSv1.3 vs. verify=0
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: +aM3cF5mi+NZ
|
| Series |
[FFmpeg-devel,1/6] lavf/tls_mbedtls: handle more error codes for human-readable message
|
expand
|
| Context | Check | Description |
|---|---|---|
| yinshiyou/configure_loongarch64 | warning | Failed to apply patch |
| andriy/configure_x86 | warning | Failed to apply patch |
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 8268e74638..5d5c7bfb25 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -163,6 +163,10 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_INTERNAL_ERROR: av_log(h, AV_LOG_ERROR, "Internal error encountered.\n"); break; + case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: + // This error only happens with TLSv1.3, we normally use mbedtls_ssl_get_verify_result(). + av_log(h, AV_LOG_ERROR, "Certificate verification failed.\n"); + break; case MBEDTLS_ERR_NET_CONN_RESET:
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075 Signed-off-by: sfan5 <sfan5@live.de> --- libavformat/tls_mbedtls.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n"); break; @@ -263,6 +267,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +#ifdef MBEDTLS_SSL_PROTO_TLS1_3 + // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really). + if (!shr->verify) { + av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n"); + mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2); + } +#endif + // not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);