From patchwork Tue Jun 4 10:27:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: sfan5 X-Patchwork-Id: 49534 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:9183:0:b0:460:55fa:d5ed with SMTP id s3csp2586449vqg; Tue, 4 Jun 2024 03:28:55 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWjwZF9OLIkXT1ikNZF8buruq20PY6JiRyh94Iui3yY6hzWEtng3nBA6MaFWmvCfT3rJQ2M7QDyxXGN2HMvcppoOlvkFo9ZG1ZdAg== X-Google-Smtp-Source: AGHT+IEHurPtlhSU0ZMO7AygZWEJbwnYhD3b9LaPRT+Z0HAoK/ZNNz+M2IphCaC1aAuJ7Mem+VhR X-Received: by 2002:a50:d4c2:0:b0:57a:31eb:83de with SMTP id 4fb4d7f45d1cf-57a3636e8e9mr7996393a12.11.1717496934963; Tue, 04 Jun 2024 03:28:54 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 4fb4d7f45d1cf-57a7664eb33si1035310a12.372.2024.06.04.03.28.54; Tue, 04 Jun 2024 03:28:54 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@LIVE.DE header.s=selector1 header.b="ovE1/eHW"; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=live.de Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 851B968D700; Tue, 4 Jun 2024 13:28:30 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05olkn2081.outbound.protection.outlook.com [40.92.90.81]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0443A68D6F0 for ; Tue, 4 Jun 2024 13:28:24 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kBmRoJ9wQKY7OqpUqaTWeOujJ53+Sh6YOEqJYTE3n8hWIYzG/892vBf6T+Pnv+nINR47K3kgtaF6M8Qms7JzR+7e3FKz3S4HCVguDLFmzPp/qGArsciZ1oSrbS3OVMQqIXobUhzO1JbctoLwNg2mWo11M5uA/s0LzdvT42EOD/sdvCmC4HZ23RX3bHjHXsEUc92iOhck41OFKRmuzq9c94l+E8TfTfauupndl0HGS5nc8ClqGvaDdqB3gfk6zj29GZLq1aCnkzfbL0Nz7gkt/RlhMWeqwkHG58zzoW2N3z/dPAPuMd5Pv9z5lURKIqcRY5q8KFHc1/CWiG6VYmxN6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tlc6QaoEUKxbis37gNnzxOVzpU6WdCxZfuV5+pxpe4E=; b=c/CcyPtAO9xCuJRdso8Qir2tnCmDVvtftPYnoZrKCXP+EilOT+lV+/MUsL6+3k0RDbTpkMxX0aZnp6yI8bEgpiEltO6Azq7DwoQmwYW62FBarS1RK2Om4/4qhanu9Kxo1Ukh7H5RF6SxhGtEfoX5L1/vPZqNq2e373zHiF359BhcdD8BNJe0zQDc0JLGbVuGUxd38C1T3Tei9Im5jesCBRTBeg/tH+0+NEUh+h0BWE/iUXnmAOFx6aU6TCg+I58j4+xlU42JpjtQgFTSRu+/XnqmZnSW2qPozw9fMBQfXze6o425on8G6jqxPhcOHWnmsb34Rkv/IskWWOhHXA5OtA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=LIVE.DE; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tlc6QaoEUKxbis37gNnzxOVzpU6WdCxZfuV5+pxpe4E=; b=ovE1/eHWgP+QCLnyCFiXVxoFMVWelzWlO61KE1lgw9sNS9OmAUZ/EVZnWZ4QQn3+AGEn2vD+0BxEt2lHEvZ5EdS0jZBTalWrU8x1Y/Qm3Z9grF5R4KowZmptC0YFrTuvi2n/Lt5T5VUrht/bRF9kI3sBbBRX1poeIjJ2YaKH4DmDl3Qq2IM9ReGvKu0xHvb5mViY5C52SA6VpISLkFgmYAHh//+8i7VPmtHL0q9ihJ4ArtcqB6BgNbjpb8J3fh0/4c3ArRpKLuCqtcuZwNnnNx7GJLhb1e2IHWJdctJTz3H4NQncRtHlaKU6f2NwXuWoaLHvhscw2ctLBl20Xedd7w== Received: from DU0PR03MB9567.eurprd03.prod.outlook.com (2603:10a6:10:41f::20) by AS8PR03MB9746.eurprd03.prod.outlook.com (2603:10a6:20b:61d::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.29; Tue, 4 Jun 2024 10:28:17 +0000 Received: from DU0PR03MB9567.eurprd03.prod.outlook.com ([fe80::e356:c67a:e5bb:cc8a]) by DU0PR03MB9567.eurprd03.prod.outlook.com ([fe80::e356:c67a:e5bb:cc8a%3]) with mapi id 15.20.7611.016; Tue, 4 Jun 2024 10:28:17 +0000 Message-ID: Date: Tue, 4 Jun 2024 12:27:59 +0200 User-Agent: Mozilla Thunderbird To: FFmpeg development discussions and patches Content-Language: en-US, de-DE From: sfan5 X-TMN: [VIh0c4tYnVIv/3HobvaUOH1kOZSeCrYfa+/ZFHHnTfa39oPQYXT/6IbNOuuGJuJa7QtRHKU0qKo=] X-ClientProxiedBy: FR0P281CA0065.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:49::18) To DU0PR03MB9567.eurprd03.prod.outlook.com (2603:10a6:10:41f::20) X-Microsoft-Original-Message-ID: <0f1a32b2-6d13-4f87-8f0f-c690ec8e0f4d@live.de> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR03MB9567:EE_|AS8PR03MB9746:EE_ X-MS-Office365-Filtering-Correlation-Id: d3bf584a-576a-47a2-30cb-08dc84810bd7 X-Microsoft-Antispam: BCL:0; ARA:14566002|461199019|6092099003|440099019|3412199016; X-Microsoft-Antispam-Message-Info: LIO2pxIZyAG/UJdoGQItJ5adIcdTm2lIcEs2j7E2fpdOQTYpYdTMezvOITJoRL3lBuTvjH1nauKRTQnDjgNzSjnknQbLCnmPdCNn8C3T783WITs7gklP7WPdGb81VYSVkimojDpWiJZEeqIGStx1z4Q18XVFErwyxkBxfgja74G7f1SnzKEBuBhl80IG0JTs7vzNXlFL3Oh4VvEriv+rNM01U2OrRvLUeokfYb/SX9+mQHx9L6ucLcSTM+I/rCI2+KQAR4OeaKEV9gL/PBemUEc24/fWDOW/lkKMLLLYv5Ys8lnkTD5avvrXg02ZEzy0n6WKHFXW3UD6zqUw+MZimpKDbQ3aOmFmFHA1jwtOqDU= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?kRS2KjmyxIxAd07IXg+6diYi423a?= =?utf-8?q?WES8O0Z/IuU4HWAgY/E5px1loYROKYJUda68n5zOeXVlZI4J/bPpvpb+dUWbkwimo?= =?utf-8?q?S9vnCRgKaVOE2dbIf5tQlbRbPgnUG+0C31dY+NETgjxi3Ln0U09LYvvIBqI3ShdrN?= =?utf-8?q?VnoyozPIJx/PhcThhrwuzQgY1Ell6wc/romUattlsj0K11lhzSSbZPR8+ZNedww2m?= =?utf-8?q?lMZb1B8+/pOSuDU+R1JOHKMHvz9uVmWLT3as0s//1Xt9QiTCfJyVI5qFBPqYPhGIk?= =?utf-8?q?l0+zgdisjHy/meAaVjoychFhLU2YLR94ucq80pTJjPSG10YsmI6wY4oKrvveyn6gB?= =?utf-8?q?dCeiaTbJUW2eRvlXdIcH7QfroicqXxmOFhkM0xVJV5BvVqHph2MET7lrXgVR7TxMx?= =?utf-8?q?CdZ3eEh6Z3RYG/rpVjCRRl7wfqEg/MjxK4itE/tMeY7eTr1pZmrgBIXDHvT+aqJDs?= =?utf-8?q?9o9EE+xTuYvVUyGF7s8P5MmXzzMLGn2t8WcSraW0DKirR3WswlOFlDI4KynAp7Eeb?= =?utf-8?q?XDpuUct+6HustxzCIFrNPNcOcioX4+BEUGzec+8HmM8z5uhN/8d4usvt/o/CZpkUF?= =?utf-8?q?6X1A90yPGsuLve75MmO8v29g6wTmdl26PAo1OiiByd6qLqd7ZR07DwPbjv/gav3UC?= =?utf-8?q?tXzRh68vTL5LBYYz3jzNfvFgmz+K2crUKuJak9AS2lGdalKcepRBM2nwjGZalhVWy?= =?utf-8?q?RQHn7WMWSo12YbyfgQonwLR2fnKKYEtbiY1bBEK5lC8VkIuI4iOYhwZ2Emxy/WMoN?= =?utf-8?q?n6W100jGtgsHwOSyTAAm2Lmp5pIzYxfNZ49ASgJmBat+IRPlczzF73gMbA/rYocRm?= =?utf-8?q?c93ec0GAL4UuDFxGCizW/9PRlPk8RThJinRClg766htVMTYLqJWRP7sJG3ChXsnvl?= =?utf-8?q?sM2VZqCC4TnW4uPWz/1YxUyp0I8Quv5lPg13YVCV6Qwe4VzVRn2GTAc/AaZ0weji/?= =?utf-8?q?HlsW1nAXIM5K/QCG7oBbYgFOA+v7Rn6LiMIcVZXi3LaCvboOhmgvFgh83JpvxyhZw?= =?utf-8?q?FGytU6LYuUXJRWZrpINq5oUXk9ub0DPIBNJ4hDQ4lU91UYSaXpI+2Z13EVPYSgucb?= =?utf-8?q?/GNtVNRZOuEg3EVJV5Vj4g6jTMv+d6WXQq3LBwvWxayZOa+upGk+mhDXtdjV+Yg9B?= =?utf-8?q?W1T7gCiUqjfxqne9ujQ50EtiHjI/CZOZ6NiXDHiVbnTdjNi7zAD9dPsakZMl5Ss92?= =?utf-8?q?AMIFQtownq5M7C+XapoZKNTxoIhjAeYU6eqbYE6tI982lj4B/mS7McjQFY5M=3D?= X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-76d7b.templateTenant X-MS-Exchange-CrossTenant-Network-Message-Id: d3bf584a-576a-47a2-30cb-08dc84810bd7 X-MS-Exchange-CrossTenant-AuthSource: DU0PR03MB9567.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jun 2024 10:28:16.6562 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB9746 X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: [FFmpeg-devel] [PATCH v3 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 3yjIL19sIZiv From 9df718654e45eb02c1f2b3f29b4554a6a90900ef Mon Sep 17 00:00:00 2001 From: sfan5 Date: Fri, 17 May 2024 10:06:42 +0200 Subject: [PATCH v3 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0 As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075 Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 91e93fb862..567b95b129 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +#ifdef MBEDTLS_SSL_PROTO_TLS1_3 + // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really). + if (!shr->verify) { + av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n"); + mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2); + } +#endif + // not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); -- 2.45.2