har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

lavf/tls_mbedtls: fix handling of certification validation failures

Browse Source 
We manually check the verification status after the handshake has completed
using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
mbedtls_ssl_handshake() already returns an error, so this code is never reached.
Fix that by using VERIFY_OPTIONAL, which performs the verification but
does not abort the handshake.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
sfan5 2024-05-13 20:27:17 +02:00 committed by Anton Khirnov
parent 827578ca76
commit 1b1e9cadc5
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/tls_mbedtls.c
View File

@ -269,8 +269,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail;
}
// not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);