On Thu, 19 Sep 2013, Diego Biurrun wrote:
On Thu, Sep 19, 2013 at 12:43:00PM +0300, Martin Storsjö wrote:
--- a/libavformat/tls.c
+++ b/libavformat/tls.c
@@ -151,7 +176,14 @@ static int tls_open(URLContext *h, const char *uri, int
flags)
if (!numerichost)
gnutls_server_name_set(c->session, GNUTLS_NAME_DNS, host,
strlen(host));
gnutls_certificate_allocate_credentials(&c->cred);
- gnutls_certificate_set_verify_flags(c->cred, 0);
+ if (c->ca_file)
+ gnutls_certificate_set_x509_trust_file(c->cred, c->ca_file,
GNUTLS_X509_FMT_PEM);
+#if GNUTLS_VERSION_MAJOR >= 3
Why not require gnutls > 3 instead in configure?
3.0.0 was released more than two years ago.
Because many distributions are still on 2.x - the recently released debian
stable is still on 2.12. Additionally, I really don't like dropping
support for widely available libraries just because it would save us one
ifdef, and so far we've been able to support 2.x just fine.
@@ -163,6 +195,35 @@ static int tls_open(URLContext *h, const char *uri, int
flags)
+ if ((ret = gnutls_certificate_verify_peers2(c->session, &status)) < 0)
{
+ av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
+ gnutls_strerror(ret));
+ }
+ if (!ret) {
+ av_log(h, AV_LOG_ERROR, "The certificate's owner does not match "
+ "hostname %s\n", host);
nit: I would suggest breaking after the second argument instead.
Will update locally.
// Martin
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel