From patchwork Fri Oct 28 18:56:58 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Thompson X-Patchwork-Id: 1215 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.140.133 with SMTP id o127csp1239037vsd; Fri, 28 Oct 2016 12:04:46 -0700 (PDT) X-Received: by 10.28.105.76 with SMTP id e73mr184570wmc.41.1477681485963; Fri, 28 Oct 2016 12:04:45 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id b13si11658950wmi.34.2016.10.28.12.04.45; Fri, 28 Oct 2016 12:04:45 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@jkqxz-net.20150623.gappssmtp.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BDBB8689F2D; Fri, 28 Oct 2016 22:04:39 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 90AF6689CA6 for ; Fri, 28 Oct 2016 22:04:33 +0300 (EEST) Received: by mail-wm0-f53.google.com with SMTP id p190so30828084wmp.1 for ; Fri, 28 Oct 2016 12:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jkqxz-net.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=4vWnhH+ZmXbQrXzohqqrY48jOZDUHLrq9xsTnUj3PYo=; b=Cc2BqCMfWFah86Jnrd3Q1iWqAq4tOO0vQoaZ/6o1drnB5hrBxZ7uBZkxoCw2ydUZ8w LwPfKcMoZepWfqRHAYbO9rjFMC56JUZLIBdsYoDpIMEKU0dKj3axuH9Bov1etofYXI0p xcr+PdHmSAnpZDaXqxNo6tM/XS1Cuw3WKsGo0QAWMjgvb70Ko+K+FIYx+UvbfMk9EfYm sRmhHv1wxOxTsCD6TIe+2oJUgEtcjpaLtoxMleF6toVyFMwmEnB4qne5Vm7whbNX9GXM fSkTE3R2GE/3USA89oeKvQ+UfyMAlG9elJj+UWGZJFUEfqQvN5YFn6u64PKtaTNq3jdK jyxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=4vWnhH+ZmXbQrXzohqqrY48jOZDUHLrq9xsTnUj3PYo=; b=CQ5OnvX/S3DiepEMMIiPjjsuk7nvSRmLM6urxZhwe+6tyZxWfEk32nsU8QFWvkfVAa sfJgfHInpExOZSknxsF6xIh02uN6esZ/+UnCUzeS264UQ1R4pa50L10sKuJ1bJdluHvc 8LWenYelEEcOpYT6ngKSX20ewrpPp284OUvwU8cFCHetwidSn4Mzo4DS2xyRr9qFwvf0 LZu522xXUKvitFKSpyw1J0tRHOZHq9OAugkWqHKyXdQ78kMccYAvK5lnZPp1AafYikTJ cr2pZqDgWIFkHqZ4HogOQ4AZlbqr/mvwvjXWsmNd8vYeNL9OrJdKylkZ/vX7hI+LfviH 8tZw== X-Gm-Message-State: ABUngvf9JMvRsQc1afpotE7AigCM8/K3c/nOoSBDKsupc9tqrKgC/5ofqtvIIV17IDN5Bw== X-Received: by 10.194.171.225 with SMTP id ax1mr15577593wjc.48.1477681019846; Fri, 28 Oct 2016 11:56:59 -0700 (PDT) Received: from [192.168.0.7] (cpc91242-cmbg18-2-0-cust650.5-4.cable.virginm.net. [82.8.130.139]) by smtp.gmail.com with ESMTPSA id 194sm10933435wmj.0.2016.10.28.11.56.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Oct 2016 11:56:59 -0700 (PDT) To: FFmpeg development discussions and patches From: Mark Thompson Message-ID: <92d049aa-a66d-dcc0-6d00-5f19762d2d5c@jkqxz.net> Date: Fri, 28 Oct 2016 19:56:58 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] openssl: Allow TLS 1.2 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The use of TLSv1_method() disallows newer protocol versions; instead use SSLv23_method() and then explicitly disable the older versions which should not be supported. Fixes ticket #5915. --- libavformat/tls_openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index c551ac7..7c9dd61 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -233,12 +233,13 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) goto fail; - p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); + p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method()); if (!p->ctx) { av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); ret = AVERROR(EIO); goto fail; } + SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); if (c->ca_file) { if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL)) av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));