This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

commit 9549c9ad79ee399ff469a420223d4b6118498f7e
Author:     Andreas Rheinhardt <[email protected]>
AuthorDate: Sun Mar 8 20:11:50 2026 +0100
Commit:     Andreas Rheinhardt <[email protected]>
CommitDate: Tue Jun 23 17:15:02 2026 +0200

    avformat/tls: Remove FF_API_NO_DEFAULT_TLS_VERIFY
    
    The decision to switch to checking peer certificates by default
    at the next major version bump was announced on 2025-08-09
    in commit 5621eee672391680f432075865e7580189ad0097.
    
    Thanks to Michael Niedermayer for pointing out that the documentation
    needs to be updated, too.
    
    Signed-off-by: Andreas Rheinhardt <[email protected]>
---
 doc/protocols.texi          |  8 ++++----
 libavformat/tls.h           | 11 ++---------
 libavformat/version_major.h |  2 --
 3 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/doc/protocols.texi b/doc/protocols.texi
index 0ac28e78b5..368ae005f8 100644
--- a/doc/protocols.texi
+++ b/doc/protocols.texi
@@ -2085,8 +2085,8 @@ database, but it does not validate that the certificate 
actually
 matches the host name we are trying to connect to. (With other backends,
 the host name is validated as well.)
 
-This is disabled by default since it requires a CA database to be
-provided by the caller in many cases.
+This is enabled by default. Verifying the peer requires a CA database,
+which in some cases has to be provided by the caller.
 
 @item cert_file, cert=@var{filename}
 A file containing a certificate to use in the handshake with the peer.
@@ -2157,8 +2157,8 @@ peer certificate is signed by one of the root 
certificates in the CA
 database, but it does not validate that the certificate actually
 matches the host name we are trying to connect to.
 
-This is disabled by default since it requires a CA database to be
-provided by the caller in many cases.
+This is enabled by default. Verifying the peer requires a CA database,
+which in some cases has to be provided by the caller.
 
 @item cert_file, cert=@var{filename}
 A file containing a certificate to use in the handshake with the peer.
diff --git a/libavformat/tls.h b/libavformat/tls.h
index 971ae5c7a5..f2f4f8991f 100644
--- a/libavformat/tls.h
+++ b/libavformat/tls.h
@@ -25,7 +25,6 @@
 
 #include "libavutil/bprint.h"
 #include "libavutil/opt.h"
-#include "version.h"
 
 #include "url.h"
 
@@ -88,17 +87,11 @@ typedef struct TLSShared {
 
 #define TLS_OPTFL (AV_OPT_FLAG_DECODING_PARAM | AV_OPT_FLAG_ENCODING_PARAM)
 
-#if FF_API_NO_DEFAULT_TLS_VERIFY
-#define TLS_VERIFY_DEFAULT 0
-#else
-#define TLS_VERIFY_DEFAULT 1
-#endif
-
 #define FF_TLS_CLIENT_OPTIONS(pstruct, options_field) \
     {"ca_file",    "Certificate Authority database file", offsetof(pstruct, 
options_field . ca_file),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"cafile",     "Certificate Authority database file", offsetof(pstruct, 
options_field . ca_file),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
-    {"tls_verify", "Verify the peer certificate",         offsetof(pstruct, 
options_field . verify),    AV_OPT_TYPE_BOOL, { .i64 = TLS_VERIFY_DEFAULT }, 0, 
1, .flags = TLS_OPTFL }, \
-    {"verify",     "Verify the peer certificate",         offsetof(pstruct, 
options_field . verify),    AV_OPT_TYPE_BOOL, { .i64 = TLS_VERIFY_DEFAULT }, 0, 
1, .flags = TLS_OPTFL }, \
+    {"tls_verify", "Verify the peer certificate",         offsetof(pstruct, 
options_field . verify),    AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, .flags = 
TLS_OPTFL }, \
+    {"verify",     "Verify the peer certificate",         offsetof(pstruct, 
options_field . verify),    AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, .flags = 
TLS_OPTFL }, \
     {"cert_file",  "Certificate file",                    offsetof(pstruct, 
options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"cert",       "Certificate file",                    offsetof(pstruct, 
options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"key_file",   "Private key file",                    offsetof(pstruct, 
options_field . key_file),  AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
diff --git a/libavformat/version_major.h b/libavformat/version_major.h
index ace2f00791..d2bf618fcd 100644
--- a/libavformat/version_major.h
+++ b/libavformat/version_major.h
@@ -43,8 +43,6 @@
  */
 #define FF_API_COMPUTE_PKT_FIELDS2      (LIBAVFORMAT_VERSION_MAJOR < 63)
 
-#define FF_API_NO_DEFAULT_TLS_VERIFY    (LIBAVFORMAT_VERSION_MAJOR < 63)
-
 #define FF_API_FDEBUG_TS                (LIBAVFORMAT_VERSION_MAJOR < 63)
 
 #define FF_API_LCEVC_STRUCT             (LIBAVFORMAT_VERSION_MAJOR < 64)

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to