Using SSL_CTX_set_options to disallow specific versions is discouraged by the documentation, which recommends to use SSL_CTX_set_min_proto_version instead. --- libavformat/tls_openssl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 72ee36e7af..e10ccf1cb8 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -901,7 +901,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + if (!SSL_CTX_set_min_proto_version(p->ctx, TLS1_VERSION)) { + av_log(h, AV_LOG_ERROR, "Failed to set minimum TLS version to TLSv1\n"); + ret = AVERROR_EXTERNAL; + goto fail; + } ret = openssl_init_ca_key_cert(h); if (ret < 0) goto fail; // Note, this doesn't check that the peer certificate actually matches -- 2.39.5 (Apple Git-154) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".