[FFmpeg-devel] [PATCH 4/4] lavf/tls: enable server verification by default when not on mbedtls

[Rodger Combs]

All other TLS wrappers now have a mechanism to load a system trust store
by default, without setting the cafile option. For Secure Transport and
Secure Channel, it's the OS. For OpenSSL and libtls, it's a path set at
compile-time. For GNUTLS, it's either a path set at compile-time, or the
OS trust store (if on macOS, iOS, or Windows). It's possible to configure
OpenSSL, GNUTLS, and libtls without a working trust store, but these are
broken configurations and I don't have a problem with requiring users with
that kind of install to either fix it, or explicitly opt in to insecure
behavior. mbedtls doesn't have a default trust store (it's assumed that the
application will provide one), so it continues to require the user to pass
in a path and enable verification manually.
---
 libavformat/tls.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/tls.h b/libavformat/tls.h
index beb19d6d55..988085173e 100644
--- a/libavformat/tls.h
+++ b/libavformat/tls.h
@@ -45,7 +45,7 @@ typedef struct TLSShared {
 #define TLS_COMMON_OPTIONS(pstruct, options_field) \
     {"ca_file",    "Certificate Authority database file", offsetof(pstruct, options_field . ca_file),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"cafile",     "Certificate Authority database file", offsetof(pstruct, options_field . ca_file),   AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
-    {"tls_verify", "Verify the peer certificate",         offsetof(pstruct, options_field . verify),    AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
+    {"tls_verify", "Verify the peer certificate",         offsetof(pstruct, options_field . verify),    AV_OPT_TYPE_INT, { .i64 = !CONFIG_MBEDTLS }, 0, 1, .flags = TLS_OPTFL }, \
     {"cert_file",  "Certificate file",                    offsetof(pstruct, options_field . cert_file), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"key_file",   "Private key file",                    offsetof(pstruct, options_field . key_file),  AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \
     {"listen",     "Listen for incoming connections",     offsetof(pstruct, options_field . listen),    AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = TLS_OPTFL }, \
-- 
2.19.1