Message ID | 20200530035753.30241-1-rcombs@rcombs.me |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/4] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0 | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
On Fri, May 29, 2020 at 22:57:50 -0500, rcombs wrote: > +#else > + av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n" > + "which doesn't provide peer name verification, so this connection\n" > + "will be made insecurely. To make this connection securely,\n" > + "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n"); Aren't there also other options than just GnuTLS? From a quick check, it looks like most of ffmpeg's TLS implementations support verification, but I don't know the internals. (Perhaps the same misconception as with openssl.) Furthermore, is that the official spelling/capitalization of GnuTLS? Cheers, Moritz
> On Jun 3, 2020, at 02:29, Moritz Barsnick <barsnick@gmx.net> wrote: > > On Fri, May 29, 2020 at 22:57:50 -0500, rcombs wrote: >> +#else >> + av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n" >> + "which doesn't provide peer name verification, so this connection\n" >> + "will be made insecurely. To make this connection securely,\n" >> + "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n"); > > Aren't there also other options than just GnuTLS? From a quick check, > it looks like most of ffmpeg's TLS implementations support > verification, but I don't know the internals. (Perhaps the same > misconception as with openssl.) Ahh, this patch dates back to when the only other multiplatform option was GNUTLS. I can say "or use a different TLS implementation." if you like? > > Furthermore, is that the official spelling/capitalization of GnuTLS? > > Cheers, > Moritz > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
On Wed, Jun 03, 2020 at 02:39:54 -0500, Ridley Combs wrote: > Ahh, this patch dates back to when the only other multiplatform > option was GNUTLS. I can say "or use a different TLS implementation." > if you like? That would be the obvious way to go, I guess. Moritz
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 002197fa76..d66845cf48 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -272,8 +272,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. if (c->verify) SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); p->ssl = SSL_new(p->ctx); @@ -297,8 +295,18 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op bio->ptr = c->tcp; #endif SSL_set_bio(p->ssl, bio, bio); - if (!c->listen && !c->numerichost) + if (!c->listen && !c->numerichost) { SSL_set_tlsext_host_name(p->ssl, c->host); + if (c->verify) +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + SSL_set1_host(p->ssl, c->host); +#else + av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n" + "which doesn't provide peer name verification, so this connection\n" + "will be made insecurely. To make this connection securely,\n" + "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n"); +#endif + } ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); if (ret == 0) { av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");