On 10 Jul 2025, at 13:51, Marvin Scholz wrote:
> When no explicit CAs file is set, load the default locations,
> else there is no way for verification to succeed.
>
> This matches the behavior of other TLS backends.
> ---
> libavformat/tls_openssl.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
> index 33b3a46dfd..79801b7261 100644
> --- a/libavformat/tls_openssl.c
> +++ b/libavformat/tls_openssl.c
> @@ -699,6 +699,12 @@ static av_cold int openssl_init_ca_key_cert(URLContext
> *h)
> if (c->ca_file) {
> if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
> av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n",
> openssl_get_error(p));
> + } else {
> + if (!SSL_CTX_set_default_verify_paths(p->ctx)) {
> + // Only log the failure but do not error out, as this is not
> fatal
> + av_log(h, AV_LOG_WARNING, "Failure setting default verify
> locations: %s\n",
> + openssl_get_error(p));
> + }
> }
>
> if (c->cert_file) {
> --
> 2.39.5 (Apple Git-154)
Pushed as e56fd2af1a0b65bf5a7788462cbaee3b4b909591
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
