[FFmpeg-cvslog] openssl: Allow newer TLS versions than TLSv1

Mark Thompson git at videolan.org
Mon Mar 27 23:29:52 EEST 2017


ffmpeg | branch: master | Mark Thompson <sw at jkqxz.net> | Sun Oct 30 14:57:30 2016 +0000| [218ed7250c103a975e874fb16e8e5941f4cbe223] | committer: Mark Thompson

openssl: Allow newer TLS versions than TLSv1

The use of TLSv1_*_method() disallows newer protocol versions; instead
use SSLv23_*_method() and then explicitly disable the deprecated
protocol versions which should not be supported.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=218ed7250c103a975e874fb16e8e5941f4cbe223
---

 libavformat/tls_openssl.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index aab885c..0abccf0 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -221,12 +221,17 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
         goto fail;
 
-    p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
+    // We want to support all versions of TLS >= 1.0, but not the deprecated
+    // and insecure SSLv2 and SSLv3.  Despite the name, SSLv23_*_method()
+    // enables support for all versions of SSL and TLS, and we then disable
+    // support for the old protocols immediately after creating the context.
+    p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
     if (!p->ctx) {
         av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
         ret = AVERROR(EIO);
         goto fail;
     }
+    SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
     if (c->ca_file)
         SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL);
     if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {



More information about the ffmpeg-cvslog mailing list