diff mbox series

[FFmpeg-devel,v3,6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.

Message ID DU0PR03MB9567E668735F33284FE87616ECF82@DU0PR03MB9567.eurprd03.prod.outlook.com
State New
Headers show
Series [FFmpeg-devel,v3,1/6] lavf/tls_mbedtls: handle more error codes for | expand

Checks

Context Check Description
yinshiyou/configure_loongarch64 warning Failed to apply patch
andriy/configure_x86 warning Failed to apply patch

Commit Message

sfan5 June 4, 2024, 10:27 a.m. UTC
diff mbox series

Patch

From 9df718654e45eb02c1f2b3f29b4554a6a90900ef Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Fri, 17 May 2024 10:06:42 +0200
Subject: [PATCH v3 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
 verify=0

As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.

ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: sfan5 <sfan5@live.de>
---
 libavformat/tls_mbedtls.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 91e93fb862..567b95b129 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,6 +269,14 @@  static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         goto fail;
     }
 
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+    // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+    if (!shr->verify) {
+        av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
+        mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
+    }
+#endif
+
     // not VERIFY_REQUIRED because we manually check after handshake
     mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
                               shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
-- 
2.45.2