diff mbox series

[FFmpeg-devel,v2] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version

Message ID DU0PR03MB956750AACC7B66D12A053E81EC9A2@DU0PR03MB9567.eurprd03.prod.outlook.com
State New
Headers show
Series [FFmpeg-devel,v2] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

sfan5 Sept. 10, 2024, 3:47 p.m. UTC

Comments

Anton Khirnov Sept. 15, 2024, 11:52 a.m. UTC | #1 
Quoting sfan5 (2024-09-10 17:47:41)
> From 2db025b18be995afea46dea6c15a3caf1d985a82 Mon Sep 17 00:00:00 2001
> From: sfan5 <sfan5@live.de>
> Date: Wed, 4 Sep 2024 17:56:05 +0200
> Subject: [PATCH v2] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround
>  to affected version
> 
> Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.
> 
> ref: c28e5b597ecc34188427347ad8d773bf9a0176cd
> Signed-off-by: sfan5 <sfan5@live.de>
> ---
>  libavformat/tls_mbedtls.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Pushed

Thanks,
diff mbox series

Patch

From 2db025b18be995afea46dea6c15a3caf1d985a82 Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Wed, 4 Sep 2024 17:56:05 +0200
Subject: [PATCH v2] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround
 to affected version

Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.

ref: c28e5b597ecc34188427347ad8d773bf9a0176cd
Signed-off-by: sfan5 <sfan5@live.de>
---
 libavformat/tls_mbedtls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 567b95b129..e802c6b872 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -270,8 +270,8 @@  static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     }
 
 #ifdef MBEDTLS_SSL_PROTO_TLS1_3
-    // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
-    if (!shr->verify) {
+    // this version does not allow disabling certificate verification with TLSv1.3 (yes, really).
+    if (mbedtls_version_get_number() == 0x03060000 && !shr->verify) {
         av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
         mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
     }
-- 
2.46.0