Re: [FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures
Am 18.05.24 um 21:53 schrieb Michael Niedermayer: On Fri, May 17, 2024 at 10:34:41AM +0200, Sfan5 wrote: We manually check the verification status after the handshake has completed using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED mbedtls_ssl_handshake() already returns an error, so this code is never reached. Fix that by using VERIFY_OPTIONAL, which performs the verification but does not abort the handshake. Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 9508fe3436..67d5c568b9 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +// not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(_ctx->ssl_config, - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(_ctx->ssl_config, mbedtls_ctr_drbg_random, _ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(_ctx->ssl_config, _ctx->ca_cert, NULL); This patch looks corrupted by extra line breaks [...] Thanks for pointing that out. It looks like years later Microsoft is still incapable of leaving patches intact... Will send as attachments for v2. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures
On Fri, May 17, 2024 at 10:34:41AM +0200, Sfan5 wrote: > We manually check the verification status after the handshake has completed > using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED > mbedtls_ssl_handshake() already returns an error, so this code is never > reached. > Fix that by using VERIFY_OPTIONAL, which performs the verification but > does not abort the handshake. > > Signed-off-by: sfan5 > --- > libavformat/tls_mbedtls.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c > index 9508fe3436..67d5c568b9 100644 > --- a/libavformat/tls_mbedtls.c > +++ b/libavformat/tls_mbedtls.c > @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int > flags, AVDictionary **op > goto fail; > } > +// not VERIFY_REQUIRED because we manually check after handshake > mbedtls_ssl_conf_authmode(_ctx->ssl_config, > - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : > MBEDTLS_SSL_VERIFY_NONE); > + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : > MBEDTLS_SSL_VERIFY_NONE); > mbedtls_ssl_conf_rng(_ctx->ssl_config, mbedtls_ctr_drbg_random, > _ctx->ctr_drbg_context); > mbedtls_ssl_conf_ca_chain(_ctx->ssl_config, _ctx->ca_cert, > NULL); This patch looks corrupted by extra line breaks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB There will always be a question for which you do not know the correct answer. signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures
We manually check the verification status after the handshake has completed using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED mbedtls_ssl_handshake() already returns an error, so this code is never reached. Fix that by using VERIFY_OPTIONAL, which performs the verification but does not abort the handshake. Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 9508fe3436..67d5c568b9 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +// not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(_ctx->ssl_config, - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(_ctx->ssl_config, mbedtls_ctr_drbg_random, _ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(_ctx->ssl_config, _ctx->ca_cert, NULL); -- 2.45.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
