[FFmpeg-devel] [PATCH 5/5] lavf/tls: enable server verification by default when not on mbedtls

Carl Eugen Hoyos ceffmpeg at gmail.com
Fri Jan 18 13:41:19 EET 2019


2019-01-18 9:46 GMT+01:00, Rodger Combs <rodger.combs at gmail.com>:
> All other TLS wrappers now have a mechanism to load a system trust store
> by default, without setting the cafile option. For Secure Transport and
> Secure Channel, it's the OS. For OpenSSL and libtls, it's a path set at
> compile-time. For GNUTLS, it's either a path set at compile-time, or the
> OS trust store (if on macOS, iOS, or Windows). It's possible to configure
> OpenSSL, GNUTLS, and libtls without a working trust store, but these are
> broken configurations and I don't have a problem with requiring users with
> that kind of install to either fix it, or explicitly opt in to insecure
> behavior. mbedtls doesn't have a default trust store (it's assumed that the
> application will provide one), so it continues to require the user to pass
> in a path and enable verification manually.

I believe the current behaviour is more desirable as default for a multimedia
library.

Carl Eugen


More information about the ffmpeg-devel mailing list