All other TLS wrappers now have a mechanism to load a system trust store by default, without setting the cafile option. For Secure Transport and Secure Channel, it's the OS. For OpenSSL and libtls, it's a path set at compile-time. For GNUTLS, it's either a path set at compile-time, or the OS trust store (if on macOS, iOS, or Windows). It's possible to configure OpenSSL, GNUTLS, and libtls without a working trust store, but these are broken configurations and I don't have a problem with requiring users with that kind of install to either fix it, or explicitly opt in to insecure behavior. mbedtls doesn't have a default trust store (it's assumed that the application will provide one), so it continues to require the user to pass in a path and enable verification manually. --- libavformat/tls.c | 3 +++ libavformat/tls.h | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls.c b/libavformat/tls.c index a6dcd3cc96..c564b1252b 100644 --- a/libavformat/tls.c +++ b/libavformat/tls.c @@ -62,6 +62,9 @@ int ff_tls_open_underlying(TLSShared *c, URLContext *parent, const char *uri, AV const char *proxy_path; int use_proxy; + if (c->verify == -1) + c->verify = !c->listen && !CONFIG_MBEDTLS; + set_options(c, uri); if (c->listen) diff --git a/libavformat/tls.h b/libavformat/tls.h index beb19d6d55..bc4ee1c216 100644 --- a/libavformat/tls.h +++ b/libavformat/tls.h @@ -45,7 +45,7 @@ typedef struct TLSShared { #define TLS_COMMON_OPTIONS(pstruct, options_field) \ {"ca_file", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ {"cafile", "Certificate Authority database file", offsetof(pstruct, options_field . ca_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ - {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \ + {"tls_verify", "Verify the peer certificate", offsetof(pstruct, options_field . verify), AV_OPT_TYPE_BOOL, { .i64 = -1 }, -1, 1, .flags = TLS_OPTFL }, \ {"cert_file", "Certificate file", offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ {"key_file", "Private key file", offsetof(pstruct, options_field . key_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ {"listen", "Listen for incoming connections", offsetof(pstruct, options_field . listen), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \ -- 2.19.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel