[FFmpeg-devel] openssl: Allow TLS 1.2

Submitted by Mark Thompson on Oct. 28, 2016, 6:56 p.m.

Details

Message ID 92d049aa-a66d-dcc0-6d00-5f19762d2d5c@jkqxz.net
State New
Headers show

Commit Message

Mark Thompson Oct. 28, 2016, 6:56 p.m.
The use of TLSv1_method() disallows newer protocol versions; instead
use SSLv23_method() and then explicitly disable the older versions
which should not be supported.

Fixes ticket #5915.
---
 libavformat/tls_openssl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Hendrik Leppkes Oct. 28, 2016, 9:15 p.m.
On Fri, Oct 28, 2016 at 8:56 PM, Mark Thompson <sw@jkqxz.net> wrote:
> The use of TLSv1_method() disallows newer protocol versions; instead
> use SSLv23_method() and then explicitly disable the older versions
> which should not be supported.
>
> Fixes ticket #5915.
> ---
>  libavformat/tls_openssl.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
> index c551ac7..7c9dd61 100644
> --- a/libavformat/tls_openssl.c
> +++ b/libavformat/tls_openssl.c
> @@ -233,12 +233,13 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
>      if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
>          goto fail;
>
> -    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
> +    p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
>      if (!p->ctx) {
>          av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
>          ret = AVERROR(EIO);
>          goto fail;
>      }
> +    SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
>      if (c->ca_file) {
>          if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
>              av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
> --
> 2.9.3
>

I should have looked further when commenting on the other patch - I guess. :)
Looks good to me, the OpenSSL API seems to be rather confusing in this
regard. Maybe a comment might be  useful to indicate why this is done.

- Hendrik

Patch hide | download patch | download mbox

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index c551ac7..7c9dd61 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -233,12 +233,13 @@  static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
         goto fail;

-    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
+    p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
     if (!p->ctx) {
         av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
         ret = AVERROR(EIO);
         goto fail;
     }
+    SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
     if (c->ca_file) {
         if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
             av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));