PR #23226 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23226 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23226.patch
tls_open() calls SSL_set1_host() + SSL_set_tlsext_host_name() only when the URL host is non-numeric (the `!s->numerichost` branch). For numeric hosts, no identity target is installed, so OpenSSL's verification accepts any publicly-trusted chain regardless of the certificate's identity. The patch adds an else-if branch that installs an IP identity check via X509_VERIFY_PARAM_set1_ip_asc() for numeric hosts when verify=1. SNI remains suppressed for IP literals per RFC 6066, but the certificate must now match the requested IP via subjectAltName iPAddress. Mirror the host-identity check already present for DNS names. Gate on s->verify so operators who deliberately disable identity checks retain the prior behaviour. Returns AVERROR_EXTERNAL on parameter-setting failure with an explicit log line. Found-by: Claude (Anthropic). Human-verified and reported by Omkhar Arasaratnam <[email protected]>. Signed-off-by: Omkhar Arasaratnam <[email protected]> >From 244a89eb9ea9b08c31661706d4b22cd26135da90 Mon Sep 17 00:00:00 2001 From: Omkhar Arasaratnam <[email protected]> Date: Thu, 21 May 2026 00:00:00 +0000 Subject: [PATCH] avformat/tls_openssl: set IP identity check for numeric hosts tls_open() calls SSL_set1_host() + SSL_set_tlsext_host_name() only when the URL host is non-numeric (the `!s->numerichost` branch). For numeric hosts, no identity target is installed, so OpenSSL's verification accepts any publicly-trusted chain regardless of the certificate's identity. The patch adds an else-if branch that installs an IP identity check via X509_VERIFY_PARAM_set1_ip_asc() for numeric hosts when verify=1. SNI remains suppressed for IP literals per RFC 6066, but the certificate must now match the requested IP via subjectAltName iPAddress. Mirror the host-identity check already present for DNS names. Gate on s->verify so operators who deliberately disable identity checks retain the prior behaviour. Returns AVERROR_EXTERNAL on parameter-setting failure with an explicit log line. Found-by: Claude (Anthropic). Human-verified and reported by Omkhar Arasaratnam <[email protected]>. Signed-off-by: Omkhar Arasaratnam <[email protected]> --- libavformat/tls_openssl.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index eade59b5d5..6e95b1e1b7 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -917,6 +917,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR_EXTERNAL; goto fail; } + } else if (!s->listen && s->numerichost && s->verify) { + /* For numeric-IP TLS connections, SNI is intentionally suppressed + * (RFC 6066) but the peer certificate must still be bound to the + * requested IP. Without this, an attacker holding any publicly- + * trusted certificate (e.g. for an unrelated domain) is accepted + * by the default-CA chain check. Install an IP identity target + * via X509_VERIFY_PARAM_set1_ip_asc(); OpenSSL will then match + * against subjectAltName iPAddress entries (and commonName by + * default fallback) for the requested host. */ + if (!X509_VERIFY_PARAM_set1_ip_asc(SSL_get0_param(c->ssl), s->host)) { + av_log(h, AV_LOG_ERROR, "Failed to set IP for TLS/SSL verification: %s\n", + openssl_get_error(c)); + ret = AVERROR_EXTERNAL; + goto fail; + } } ret = s->listen ? SSL_accept(c->ssl) : SSL_connect(c->ssl); if (ret == 0) { -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
