diff mbox series

[FFmpeg-devel,v2,4/6] lavf/tls_mbedtls: fix handling of certification

Message ID DU0PR03MB95673678B90B71942EA132E7ECF22@DU0PR03MB9567.eurprd03.prod.outlook.com
State New
Headers show
Series [FFmpeg-devel,v2,1/6] lavf/tls_mbedtls: handle more error codes for | expand


Context Check Description
andriy/configure_x86 warning Failed to apply patch
yinshiyou/configure_loongarch64 warning Failed to apply patch

Commit Message

sfan5 May 29, 2024, 11:02 a.m. UTC

diff mbox series


From d561732d7c05d820baeb9c8bff5e8a4b133fe624 Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Mon, 13 May 2024 20:27:17 +0200
Subject: [PATCH v2 4/6] lavf/tls_mbedtls: fix handling of certification
 validation failures

We manually check the verification status after the handshake has completed
using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
mbedtls_ssl_handshake() already returns an error, so this code is never reached.
Fix that by using VERIFY_OPTIONAL, which performs the verification but
does not abort the handshake.

Signed-off-by: sfan5 <sfan5@live.de>
 libavformat/tls_mbedtls.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index f53e918e04..ef447e12a5 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -266,8 +266,9 @@  static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         goto fail;
+    // not VERIFY_REQUIRED because we manually check after handshake
-                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
+                              shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
     mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
     mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);