[FFmpeg-devel,1/3] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0

Submitted by Rodger Combs on Aug. 16, 2017, 7:19 a.m.

Details

Message ID 20170816071918.98412-1-rodger.combs@gmail.com
State New
Headers show

Commit Message

Rodger Combs Aug. 16, 2017, 7:19 a.m.
---
 libavformat/tls_openssl.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 38af8a21c0..50361d30e2 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -256,8 +256,6 @@  static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         ret = AVERROR(EIO);
         goto fail;
     }
-    // Note, this doesn't check that the peer certificate actually matches
-    // the requested hostname.
     if (c->verify)
         SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
     p->ssl = SSL_new(p->ctx);
@@ -281,8 +279,18 @@  static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     bio->ptr = c->tcp;
 #endif
     SSL_set_bio(p->ssl, bio, bio);
-    if (!c->listen && !c->numerichost)
+    if (!c->listen && !c->numerichost) {
         SSL_set_tlsext_host_name(p->ssl, c->host);
+        if (c->verify)
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+            SSL_set1_host(p->ssl, c->host);
+#else
+            av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n"
+                                      "which doesn't provide peer name verification, so this connection\n"
+                                      "will be made insecurely. To make this connection securely,\n"
+                                      "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n");
+#endif
+    }
     ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
     if (ret == 0) {
         av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");