--- libavformat/tls_openssl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 38af8a21c0..50361d30e2 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -256,8 +256,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - // Note, this doesn't check that the peer certificate actually matches - // the requested hostname. if (c->verify) SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); p->ssl = SSL_new(p->ctx); @@ -281,8 +279,18 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op bio->ptr = c->tcp; #endif SSL_set_bio(p->ssl, bio, bio); - if (!c->listen && !c->numerichost) + if (!c->listen && !c->numerichost) { SSL_set_tlsext_host_name(p->ssl, c->host); + if (c->verify) +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL + SSL_set1_host(p->ssl, c->host); +#else + av_log(h, AV_LOG_WARNING, "ffmpeg was built against an old version of OpenSSL\n" + "which doesn't provide peer name verification, so this connection\n" + "will be made insecurely. To make this connection securely,\n" + "upgrade to a newer OpenSSL version, or use GNUTLS instead.\n"); +#endif + } ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); if (ret == 0) { av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n"); -- 2.14.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel