diff mbox series

[FFmpeg-devel,1/4] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0

Message ID 20200530035753.30241-1-rcombs@rcombs.me
State New
Headers show
Series [FFmpeg-devel,1/4] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0
Related show

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

rcombs May 30, 2020, 3:57 a.m. UTC
---
 libavformat/tls_openssl.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

Comments

Moritz Barsnick June 3, 2020, 7:29 a.m. UTC | #1
On Fri, May 29, 2020 at 22:57:50 -0500, rcombs wrote:
> +#else
> +            av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n"
> +                                      "which doesn't provide peer name verification, so this connection\n"
> +                                      "will be made insecurely. To make this connection securely,\n"
> +                                      "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n");

Aren't there also other options than just GnuTLS? From a quick check,
it looks like most of ffmpeg's TLS implementations support
verification, but I don't know the internals. (Perhaps the same
misconception as with openssl.)

Furthermore, is that the official spelling/capitalization of GnuTLS?

Cheers,
Moritz
rcombs June 3, 2020, 7:39 a.m. UTC | #2
> On Jun 3, 2020, at 02:29, Moritz Barsnick <barsnick@gmx.net> wrote:
> 
> On Fri, May 29, 2020 at 22:57:50 -0500, rcombs wrote:
>> +#else
>> +            av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n"
>> +                                      "which doesn't provide peer name verification, so this connection\n"
>> +                                      "will be made insecurely. To make this connection securely,\n"
>> +                                      "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n");
> 
> Aren't there also other options than just GnuTLS? From a quick check,
> it looks like most of ffmpeg's TLS implementations support
> verification, but I don't know the internals. (Perhaps the same
> misconception as with openssl.)

Ahh, this patch dates back to when the only other multiplatform option was GNUTLS. I can say "or use a different TLS implementation." if you like?

> 
> Furthermore, is that the official spelling/capitalization of GnuTLS?
> 
> Cheers,
> Moritz
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Moritz Barsnick June 3, 2020, 10:29 a.m. UTC | #3
On Wed, Jun 03, 2020 at 02:39:54 -0500, Ridley Combs wrote:
> Ahh, this patch dates back to when the only other multiplatform
> option was GNUTLS. I can say "or use a different TLS implementation."
> if you like?

That would be the obvious way to go, I guess.

Moritz
diff mbox series

Patch

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 002197fa76..d66845cf48 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -272,8 +272,6 @@  static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         ret = AVERROR(EIO);
         goto fail;
     }
-    // Note, this doesn't check that the peer certificate actually matches
-    // the requested hostname.
     if (c->verify)
         SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
     p->ssl = SSL_new(p->ctx);
@@ -297,8 +295,18 @@  static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     bio->ptr = c->tcp;
 #endif
     SSL_set_bio(p->ssl, bio, bio);
-    if (!c->listen && !c->numerichost)
+    if (!c->listen && !c->numerichost) {
         SSL_set_tlsext_host_name(p->ssl, c->host);
+        if (c->verify)
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+            SSL_set1_host(p->ssl, c->host);
+#else
+            av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n"
+                                      "which doesn't provide peer name verification, so this connection\n"
+                                      "will be made insecurely. To make this connection securely,\n"
+                                      "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n");
+#endif
+    }
     ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
     if (ret == 0) {
         av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");