[FFmpeg-devel] [PATCH 2/2] lavf/tls: accept a default CA bundle at configure-time
Rodger Combs
rodger.combs at gmail.com
Wed May 20 22:39:14 CEST 2015
---
configure | 30 +++++++++++++++++++++++++++++-
libavformat/tls.c | 2 +-
2 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/configure b/configure
index 35ed82b..651405b 100755
--- a/configure
+++ b/configure
@@ -108,6 +108,7 @@ Configuration options:
--disable-all disable building components, libraries and programs
--enable-incompatible-libav-abi enable incompatible Libav fork ABI [no]
--enable-raise-major increase major version numbers in sonames [no]
+ --default-ca-file=PATH default CA file for TLS verification [autodetect]
Program options:
--disable-programs do not build command line programs
@@ -1953,6 +1954,7 @@ PATHS_LIST="
mandir
prefix
shlibdir
+ default_ca_file
"
CMDLINE_SET="
@@ -3138,6 +3140,7 @@ test -n "$cross_prefix" && enable cross_compile
if enabled cross_compile; then
test -n "$arch" && test -n "$target_os" ||
die "Must specify target arch and OS when cross-compiling"
+ disable find_cert_bundle
fi
ar_default="${cross_prefix}${ar_default}"
@@ -5188,11 +5191,31 @@ if ! disabled sdl; then
fi
enabled sdl && add_cflags $sdl_cflags && add_extralibs $sdl_libs
-{ enabled openssl || enabled gnutls; } && disable securetransport
+{ enabled openssl || enabled gnutls; } && disable securetransport || disable find_cert_bundle
disabled securetransport || { check_lib2 Security/SecureTransport.h SSLCreateContext "-Wl,-framework,CoreFoundation -Wl,-framework,Security" &&
enable securetransport securetransport; } || enable securetransport
+# CA bundle
+
+if ! disabled find_cert_bundle && [[ -z "$default_ca_file" ]]; then
+ for a in /etc/ssl/certs/ca-certificates.crt \
+ /etc/ssl/cert.pem \
+ /etc/pki/tls/certs/ca-bundle.crt \
+ /etc/pki/tls/certs/ca-bundle.trust.crt \
+ /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
+ /usr/share/ssl/certs/ca-bundle.crt \
+ /usr/local/share/certs/ca-root.crt \
+ /usr/local/share/curl/curl-ca-bundle.crt \
+ /System/Library/OpenSSL/cert.pem;
+ do
+ if test -f "$a"; then
+ default_ca_file="$a"
+ break
+ fi
+ done
+fi
+
makeinfo --version > /dev/null 2>&1 && enable makeinfo || disable makeinfo
enabled makeinfo && (makeinfo --version | \
grep -q 'makeinfo (GNU texinfo) 5' > /dev/null 2>&1) \
@@ -5724,6 +5747,7 @@ echo "makeinfo enabled ${makeinfo-no}"
echo "makeinfo supports HTML ${makeinfo_html-no}"
test -n "$random_seed" &&
echo "random seed ${random_seed}"
+echo "default CA file ${default_ca_file:-none}"
echo
echo "External libraries:"
@@ -5916,6 +5940,10 @@ cat > $TMPH <<EOF
#define SWS_MAX_FILTER_SIZE $sws_max_filter_size
EOF
+test -n "$default_ca_file" &&
+ echo "#define DEFAULT_CA_FILE \"$(eval c_escape $default_ca_file)\"" >>$TMPH ||
+ echo "#define DEFAULT_CA_FILE NULL" >> $TMPH
+
test -n "$assert_level" &&
echo "#define ASSERT_LEVEL $assert_level" >>$TMPH
diff --git a/libavformat/tls.c b/libavformat/tls.c
index 70596f8..c941de8 100644
--- a/libavformat/tls.c
+++ b/libavformat/tls.c
@@ -102,7 +102,7 @@ typedef struct TLSContext {
#define D AV_OPT_FLAG_DECODING_PARAM
#define E AV_OPT_FLAG_ENCODING_PARAM
static const AVOption options[] = {
- {"ca_file", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, .flags = D|E },
+ {"ca_file", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, { .str = DEFAULT_CA_FILE }, .flags = D|E },
{"cafile", "Certificate Authority database file", OFFSET(ca_file), AV_OPT_TYPE_STRING, .flags = D|E },
{"tls_verify", "Verify the peer certificate", OFFSET(verify), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E },
{"cert_file", "Certificate file", OFFSET(cert_file), AV_OPT_TYPE_STRING, .flags = D|E },
--
2.3.5
More information about the ffmpeg-devel
mailing list