From patchwork Sat Oct 29 08:53:30 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Thompson X-Patchwork-Id: 1219 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.140.133 with SMTP id o127csp1466245vsd; Sat, 29 Oct 2016 01:53:43 -0700 (PDT) X-Received: by 10.28.207.129 with SMTP id f123mr2498311wmg.18.1477731222821; Sat, 29 Oct 2016 01:53:42 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z19si14256942wmc.139.2016.10.29.01.53.42; Sat, 29 Oct 2016 01:53:42 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@jkqxz-net.20150623.gappssmtp.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 65DBD689253; Sat, 29 Oct 2016 11:53:36 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f47.google.com (mail-wm0-f47.google.com [74.125.82.47]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5E10D689228 for ; Sat, 29 Oct 2016 11:53:29 +0300 (EEST) Received: by mail-wm0-f47.google.com with SMTP id e69so147188475wmg.0 for ; Sat, 29 Oct 2016 01:53:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jkqxz-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=270dUdlZylT/zfrSuU9+1TShOVuudGBZAvEdLLEq1i0=; b=bWHWnN3TRctCQkXXI4TehV4oFKSUMpqi6jT/aFqulkGcc5t0ALEKMCFnmpndOL2Vvg KmdmgK1RtkwIhjqXcu7flvURb7SUeYkz92V/qVTjwITWCz+0qsqWpRlX1pnOkEpEvH/8 b/jZcnwdSdIawTJ5+Hiu4t2IvryYsAeAx6Qe8T8uBOL0bWYIiLAy3xFyJHnG6/m2D1iS Mh5Yo7WRJ5SIk1koi8vbpcG5jZ8jG9ScChcQWZ09Qk+P4BwKAqzvg4OZp9LSb3l7dZ6A 71G+8V23TkcsvusP2mAs5oTTJpkQk64TnTkzRAL8pHfu+EIL/PGEQzU1maJt6oNHJMnC +U9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=270dUdlZylT/zfrSuU9+1TShOVuudGBZAvEdLLEq1i0=; b=CKBdGwTBvXRSbyqQp+efe9DQoCEhyC5pLKy6z8opt99LqhweZ/p92/8qqYVbcpbX+x 1vEr79/o9cZqfDOMdd6ffeAAokoiOMavJ1M8A126WeR1NXeeAO64QxOvGgOV4TI4IvrY fTP7pZL/FfRcXhRTAMPlZ5AkLmJ4kZM+OVH/PhBNnuVj2rGwYLG7FveiSZBIqhhtxSIe 5OgAIug3312Djk9uJebr7H41eNmXgQT2hd26+COQ+goFp2xq8wazqYLjd+C9PFZos4xs 0f81Fy8BP0B1avEQI73uLLTXH2zHYvuu03NKMfodlWayJJz4SB4RxpIzbEuWc3d4rPtG VZtg== X-Gm-Message-State: ABUngveTeZMLsqJyqLNThN9c0Fu+cgPHHQm185X+oA9yAJT4mfvWjIJGfqFxc/M98yyDRg== X-Received: by 10.28.129.81 with SMTP id c78mr2210034wmd.53.1477731212438; Sat, 29 Oct 2016 01:53:32 -0700 (PDT) Received: from [192.168.0.3] (cpc91242-cmbg18-2-0-cust650.5-4.cable.virginm.net. [82.8.130.139]) by smtp.gmail.com with ESMTPSA id gk6sm18320642wjc.21.2016.10.29.01.53.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 29 Oct 2016 01:53:31 -0700 (PDT) To: FFmpeg development discussions and patches References: <92d049aa-a66d-dcc0-6d00-5f19762d2d5c@jkqxz.net> From: Mark Thompson Message-ID: <914b948d-3aca-9336-b136-61d84ca9d39b@jkqxz.net> Date: Sat, 29 Oct 2016 09:53:30 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 In-Reply-To: Subject: [FFmpeg-devel] [PATCH] openssl: Allow newer TLS versions than TLSv1 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The use of TLSv1_*_method() disallows newer protocol versions; instead use SSLv23_*_method() and then explicitly disable the deprecated protocol versions which should not be supported. Fixes ticket #5915. --- On 28/10/16 22:15, Hendrik Leppkes wrote: > I should have looked further when commenting on the other patch - I guess. :) > Looks good to me, the OpenSSL API seems to be rather confusing in this > regard. Maybe a comment might be useful to indicate why this is done. Hopefully this is clearer. Thanks, - Mark libavformat/tls_openssl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index c551ac7..178ca9e 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -233,12 +233,17 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) goto fail; - p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); + // We want to support all versions of TLS >= 1.0, but not the deprecated + // and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method() + // enables support for all versions of SSL and TLS, and we then disable + // support for the old protocols immediately after creating the context. + p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method()); if (!p->ctx) { av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); ret = AVERROR(EIO); goto fail; } + SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); if (c->ca_file) { if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL)) av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));