As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate
verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.
ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: sfan5 <sf...@live.de>
---
libavformat/tls_mbedtls.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 8268e74638..5d5c7bfb25 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -163,6 +163,10 @@ static void handle_handshake_error(URLContext *h,
int ret)
case MBEDTLS_ERR_SSL_INTERNAL_ERROR:
av_log(h, AV_LOG_ERROR, "Internal error encountered.\n");
break;
+ case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
+ // This error only happens with TLSv1.3, we normally use
mbedtls_ssl_get_verify_result().
+ av_log(h, AV_LOG_ERROR, "Certificate verification failed.\n");
+ break;
case MBEDTLS_ERR_NET_CONN_RESET:
av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");
break;
@@ -263,6 +267,14 @@ static int tls_open(URLContext *h, const char *uri,
int flags, AVDictionary **op
goto fail;
}
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+ // mbedTLS does not allow disabling certificate verification with
TLSv1.3 (yes, really).
+ if (!shr->verify) {
+ av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate
verification is disabled\n");
+ mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config,
MBEDTLS_SSL_VERSION_TLS1_2);
+ }
+#endif
+
// not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->verify ?
MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
--
2.45.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
