From patchwork Wed Aug 16 07:19:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rodger Combs X-Patchwork-Id: 4719 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.46.211 with SMTP id u202csp454454vsu; Wed, 16 Aug 2017 00:26:48 -0700 (PDT) X-Received: by 10.223.163.20 with SMTP id c20mr567945wrb.173.1502868408536; Wed, 16 Aug 2017 00:26:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1502868408; cv=none; d=google.com; s=arc-20160816; b=OVF4krlICGR+46lJmFFmont0dzgJyZRXaOdTGcGLC5A+NvxLto4kXprDv+usMiJr5t 6Y0J4R/kMi1WFmnyXKNtexjct9bV9dlYH7ASSxy8jbn4X5bVk+XBvf0PQGgQK8+foRXX mVE3ZCVi0LoYvmZcpQCmPA0C+YGYwLqBcTWLGqeL7J1NspQJOtG+yV1WTbRTm4Iahgz4 e/arMNj0jqCYf8iP504JFuLc8fJaO0JfyiOUTYTiU224KITQNp7aAlPkRXXcpsn/bP7H YNc61AU4Gly/S5joNPCDNsk8e2mPIVdnzxMQM3cGU8y2foiF3n+ps6WszMCWCWEDhFVj 9jCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to:arc-authentication-results; bh=QtIv7vD6iktajLKRePC7kIIl2ok++KVdn/p7sTSvidk=; b=a/0S6oMV8nQR+h3T6n/zWlCiL/fLKBEx6KBNWy3yHlQyOgV8BMFNEiM8wuSMZQFmbq nkY3UtYdmdSm+1GdmFmDbH6jc2oQfhj8BrRmiwFEG21eLu2PvwvHofYfkvnRmT2yUcQd 6XGnkcJ9A/j0c8CLi0e7p92JKTSWppVE4wtzBKKtejdDHovrwTP6U4Yv22jzZGqdDdqv NvSYRbH7HkBZG+usV2dv4flpYz7OLcC3c7+CWT+6+8ywPT5AnRPK4FLZ5n/4f42I4R27 RTiO0wAZiqKH0i3eNg99tatgF13T+GUZV4fZPAwWDHqVXIhU4Pif49mbSW9AijkC6FJ0 u1LA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=gK/H0X5E; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id v23si395498wmv.57.2017.08.16.00.26.48; Wed, 16 Aug 2017 00:26:48 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=gK/H0X5E; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1E57F68062D; Wed, 16 Aug 2017 10:26:41 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-io0-f193.google.com (mail-io0-f193.google.com [209.85.223.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 05ABD68062D for ; Wed, 16 Aug 2017 10:26:35 +0300 (EEST) Received: by mail-io0-f193.google.com with SMTP id q64so1887570ioi.0 for ; Wed, 16 Aug 2017 00:26:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=YzRdl5IftcyzpblA1BBg94xgWRwHKXnHTBKXlnyP9eY=; b=gK/H0X5EICmhObpuZY47pbTNPPLLdCGki6VoLpkif3HVGFlRtb7CemiTpS5tkNtK5i R7vFh1a4mexshNl9zFfHX3vK1CY62Q4+qftFs5HZgY3VS6tp2BH/3GSjAkDkm4fyNmXu 1gIJiP9WvSp5bpn0v97VHNElhcafoOyMgOZXt2tj1g70+laCuy1cksSqrjEMIf/3wWyW NK0YIOpx18X4y9UCA4dTQaWtKq/mBNnj+lFeDx3vleElwsQJiExEM1UlprXSPh1PaszW Nv8yg+a/YyIn2xF5PKsRTj/O5/01QTJBvAbl1XLu1qnl861N4XCvroFWyS+92LA/tyWd 0ZPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=YzRdl5IftcyzpblA1BBg94xgWRwHKXnHTBKXlnyP9eY=; b=gh78x/+3Ti2SlX3/5bcGKuCQbNCtUOcedusgrgnNWgYoNHPcyn/MxfmemdXO1JkqrD f6s/NR3Mq5qgS9RLhGtrwkrPrBgwGE//ce1b+SaKPyGXetWGFplU3MKypu7isHtZgNbf O5ouDIr1SFrK2a1TzYZehMtm3lrIyMDhxPkG1HPTwpNqmuMuFE0JGbLmyFa1UttUG5wF Pj2/qDuuRlq+VGA1kyL+90kS7SuWpsXa605zzxSKLshGOVysiFERus7yc34twxjnMg5x WHPMA0iqNfjYJpm1LvIEDIY1WKE/2mS2EzT/0gdIye1SdSBu+6058dustsCTQGCPb95+ sU4A== X-Gm-Message-State: AHYfb5hO6qqdnafEw8Uu5FzE02tZ+AfLxpBeGFM6vXap0EaAu1wClOso KGhnEg7+3yjvPR9NKoc= X-Received: by 10.107.31.79 with SMTP id f76mr576253iof.187.1502867966338; Wed, 16 Aug 2017 00:19:26 -0700 (PDT) Received: from Rodgers-MacBook-Pro.local.net (c-73-110-121-59.hsd1.il.comcast.net. [73.110.121.59]) by smtp.gmail.com with ESMTPSA id k12sm238377itk.29.2017.08.16.00.19.25 for (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 16 Aug 2017 00:19:25 -0700 (PDT) From: Rodger Combs To: ffmpeg-devel@ffmpeg.org Date: Wed, 16 Aug 2017 02:19:16 -0500 Message-Id: <20170816071918.98412-1-rodger.combs@gmail.com> X-Mailer: git-send-email 2.14.1 Subject: [FFmpeg-devel] [PATCH 1/3] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavformat/tls_openssl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 38af8a21c0..50361d30e2 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -256,8 +256,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. if (c->verify) SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); p->ssl = SSL_new(p->ctx); @@ -281,8 +279,18 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op bio->ptr = c->tcp; #endif SSL_set_bio(p->ssl, bio, bio); - if (!c->listen && !c->numerichost) + if (!c->listen && !c->numerichost) { SSL_set_tlsext_host_name(p->ssl, c->host); + if (c->verify) +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + SSL_set1_host(p->ssl, c->host); +#else + av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n" + "which doesn't provide peer name verification, so this connection\n" + "will be made insecurely. To make this connection securely,\n" + "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n"); +#endif + } ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); if (ret == 0) { av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");