On Thu, 19 Sep 2013, Diego Biurrun wrote:
On Thu, Sep 19, 2013 at 12:43:00PM +0300, Martin Storsjö wrote:--- a/libavformat/tls.c +++ b/libavformat/tls.c @@ -151,7 +176,14 @@ static int tls_open(URLContext *h, const char *uri, int flags) if (!numerichost) gnutls_server_name_set(c->session, GNUTLS_NAME_DNS, host, strlen(host)); gnutls_certificate_allocate_credentials(&c->cred); - gnutls_certificate_set_verify_flags(c->cred, 0); + if (c->ca_file) + gnutls_certificate_set_x509_trust_file(c->cred, c->ca_file, GNUTLS_X509_FMT_PEM); +#if GNUTLS_VERSION_MAJOR >= 3Why not require gnutls > 3 instead in configure? 3.0.0 was released more than two years ago.
Because many distributions are still on 2.x - the recently released debian stable is still on 2.12. Additionally, I really don't like dropping support for widely available libraries just because it would save us one ifdef, and so far we've been able to support 2.x just fine.
@@ -163,6 +195,35 @@ static int tls_open(URLContext *h, const char *uri, int flags) + if ((ret = gnutls_certificate_verify_peers2(c->session, &status)) < 0) { + av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n", + gnutls_strerror(ret)); + } + if (!ret) { + av_log(h, AV_LOG_ERROR, "The certificate's owner does not match " + "hostname %s\n", host);nit: I would suggest breaking after the second argument instead.
Will update locally. // Martin _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
