From patchwork Sat May 30 03:57:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: rcombs X-Patchwork-Id: 19975 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 4A89D44B05D for ; Sat, 30 May 2020 06:58:11 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2181968AB65; Sat, 30 May 2020 06:58:11 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from so254-54.mailgun.net (so254-54.mailgun.net [198.61.254.54]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DF8E468A777 for ; Sat, 30 May 2020 06:58:04 +0300 (EEST) DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=rcombs.me; q=dns/txt; s=mx; t=1590811084; h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: To: From: Sender; bh=Bfvsjo0hxVvSGZkYHiKbfDb0opWnARaF7xppo5C0rEk=; b=GSwNLUpIDLbNCq7TEfxl839JIvEDK1I5KkA5m9/SRWcOKcDcSrmkZGP3MShBtAuQZcU19U8T 1nD8hFsQ+Agcyt4LPYZEPkKXnyG9T25xWBgY5Y4bCAvrziAlQnXPmS7++zuxFK1m3jFwhVk+ 2D/4K2S3SQtPsmqgNSiV+WWIBtc= X-Mailgun-Sending-Ip: 198.61.254.54 X-Mailgun-Sid: WyJiZDU1MSIsICJmZm1wZWctZGV2ZWxAZmZtcGVnLm9yZyIsICJiMGJhIl0= Received: from rcombs-mbp.localdomain ( [24.14.135.13]) by smtp-out-n11.prod.us-west-2.postgun.com with SMTP id 5ed1d9cac6d46832432b42f2 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Sat, 30 May 2020 03:58:02 GMT From: rcombs To: ffmpeg-devel@ffmpeg.org Date: Fri, 29 May 2020 22:57:50 -0500 Message-Id: <20200530035753.30241-1-rcombs@rcombs.me> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/4] lavf/tls_openssl: add support for verifying the server hostname on >=1.1.0 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavformat/tls_openssl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 002197fa76..d66845cf48 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -272,8 +272,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. if (c->verify) SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); p->ssl = SSL_new(p->ctx); @@ -297,8 +295,18 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op bio->ptr = c->tcp; #endif SSL_set_bio(p->ssl, bio, bio); - if (!c->listen && !c->numerichost) + if (!c->listen && !c->numerichost) { SSL_set_tlsext_host_name(p->ssl, c->host); + if (c->verify) +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + SSL_set1_host(p->ssl, c->host); +#else + av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n" + "which doesn't provide peer name verification, so this connection\n" + "will be made insecurely. To make this connection securely,\n" + "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n"); +#endif + } ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); if (ret == 0) { av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");