When no explicit CAs file is set, load the default locations,
else there is no way for verification to succeed.
This matches the behavior of other TLS backends.
---
libavformat/tls_openssl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 33b3a46dfd..79801b7261 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -699,6 +699,12 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
if (c->ca_file) {
if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n",
openssl_get_error(p));
+ } else {
+ if (!SSL_CTX_set_default_verify_paths(p->ctx)) {
+ // Only log the failure but do not error out, as this is not fatal
+ av_log(h, AV_LOG_WARNING, "Failure setting default verify
locations: %s\n",
+ openssl_get_error(p));
+ }
}
if (c->cert_file) {
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
