Am 18.05.24 um 21:53 schrieb Michael Niedermayer:
On Fri, May 17, 2024 at 10:34:41AM +0200, Sfan5 wrote:
We manually check the verification status after the handshake has completed
using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
mbedtls_ssl_handshake() already returns an error, so this code is never
reached.
Fix that by using VERIFY_OPTIONAL, which performs the verification but
does not abort the handshake.
Signed-off-by: sfan5 <sf...@live.de>
---
libavformat/tls_mbedtls.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 9508fe3436..67d5c568b9 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int
flags, AVDictionary **op
goto fail;
}
+ // not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
- shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED :
MBEDTLS_SSL_VERIFY_NONE);
+ shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL :
MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random,
&tls_ctx->ctr_drbg_context);
mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert,
NULL);
This patch looks corrupted by extra line breaks
[...]
Thanks for pointing that out.
It looks like years later Microsoft is still incapable of leaving
patches intact... Will send as attachments for v2.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
