On 10 Jul 2025, at 13:51, Marvin Scholz wrote:

> When no explicit CAs file is set, load the default locations,
> else there is no way for verification to succeed.
>
> This matches the behavior of other TLS backends.
> ---
>  libavformat/tls_openssl.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
> index 33b3a46dfd..79801b7261 100644
> --- a/libavformat/tls_openssl.c
> +++ b/libavformat/tls_openssl.c
> @@ -699,6 +699,12 @@ static av_cold int openssl_init_ca_key_cert(URLContext 
> *h)
>      if (c->ca_file) {
>          if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
>              av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", 
> openssl_get_error(p));
> +    } else {
> +        if (!SSL_CTX_set_default_verify_paths(p->ctx)) {
> +            // Only log the failure but do not error out, as this is not 
> fatal
> +            av_log(h, AV_LOG_WARNING, "Failure setting default verify 
> locations: %s\n",
> +                openssl_get_error(p));
> +        }
>      }
>
>      if (c->cert_file) {
> -- 
> 2.39.5 (Apple Git-154)


Pushed as e56fd2af1a0b65bf5a7788462cbaee3b4b909591
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to