diff mbox

[FFmpeg-devel] fix tls 1.2 when ffmpeg is compiled with openssl

Message ID CABUmD9vvE5q92tFQa_y3jPT8F2gKCk9dZGYA279E5GVNezoy9Q@mail.gmail.com
State Superseded
Headers show

Commit Message

Martin Larsson Oct. 28, 2016, 6:42 p.m. UTC 
Made by vpeter of the LibreELEC project.

         av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(),
NULL));
         ret = AVERROR(EIO);

Comments

Hendrik Leppkes Oct. 28, 2016, 9:13 p.m. UTC | #1 
On Fri, Oct 28, 2016 at 8:42 PM, Martin Larsson
<martin.larsson2@gmail.com> wrote:
> Made by vpeter of the LibreELEC project.
>
> --- a/libavformat/tls_openssl.c 2016-10-28 18:52:40.526626700 +0200
> +++ b/libavformat/tls_openssl.c 2016-10-28 19:21:41.520615426 +0200
> @@ -233,7 +233,8 @@ static int tls_open(URLContext *h, const
>      if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
>          goto fail;
>
> -    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
> TLSv1_client_method());
> +    //SSLv23_client_method allows to use TLS v1.2 protocol
> +    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
> SSLv23_client_method());
>      if (!p->ctx) {
>          av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(),
> NULL));
>          ret = AVERROR(EIO);

To ensure the same security restrictions apply as before, it should
perhaps set the options to disable SSLv2/3 then?

SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3)

Otherwise looks fine, the API seems to be rather weird there.

- Hendrik
Hendrik Leppkes Oct. 28, 2016, 9:15 p.m. UTC | #2 
On Fri, Oct 28, 2016 at 11:13 PM, Hendrik Leppkes <h.leppkes@gmail.com> wrote:
> On Fri, Oct 28, 2016 at 8:42 PM, Martin Larsson
> <martin.larsson2@gmail.com> wrote:
>> Made by vpeter of the LibreELEC project.
>>
>> --- a/libavformat/tls_openssl.c 2016-10-28 18:52:40.526626700 +0200
>> +++ b/libavformat/tls_openssl.c 2016-10-28 19:21:41.520615426 +0200
>> @@ -233,7 +233,8 @@ static int tls_open(URLContext *h, const
>>      if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
>>          goto fail;
>>
>> -    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
>> TLSv1_client_method());
>> +    //SSLv23_client_method allows to use TLS v1.2 protocol
>> +    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
>> SSLv23_client_method());
>>      if (!p->ctx) {
>>          av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(),
>> NULL));
>>          ret = AVERROR(EIO);
>
> To ensure the same security restrictions apply as before, it should
> perhaps set the options to disable SSLv2/3 then?
>
> SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3)
>
> Otherwise looks fine, the API seems to be rather weird there.
>

Nevermind, there is another patch on the ML doing just this.
diff mbox

Patch

--- a/libavformat/tls_openssl.c 2016-10-28 18:52:40.526626700 +0200
+++ b/libavformat/tls_openssl.c 2016-10-28 19:21:41.520615426 +0200
@@ -233,7 +233,8 @@  static int tls_open(URLContext *h, const
     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
         goto fail;

-    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
TLSv1_client_method());
+    //SSLv23_client_method allows to use TLS v1.2 protocol
+    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() :
SSLv23_client_method());
     if (!p->ctx) {