[FFmpeg-devel] [PATCH 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0
sfan5
sfan5 at live.de
Tue Jun 11 19:17:00 EEST 2024
Am 11.06.24 um 17:02 schrieb Anton Khirnov:
> Quoting Sfan5 (2024-05-17 10:34:50)
>> As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate
>> verification
>> is now mandatory. Our default configuration does not do verification, so
>> downgrade to 1.2 in these situations to avoid breaking it.
>>
>> ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
>> Signed-off-by: sfan5 <sfan5 at live.de>
>> ---
> Would it not be simpler to simply set authmode to
> MBEDTLS_SSL_VERIFY_OPTIONAL unconditionally, then just disregard the
> verification result?
>
That's the thing and it's exactly as stupid as it sounds: When using
TLSv1.3 it will ignore the MBEDTLS_SSL_VERIFY mode entirely.
If the verification doesn't pass the handshake fails and you don't get
an usable connection. I'm hoping the mbedTLS devs realize at some point
how nonviable this is and fix it but as of right now this is the only
way to not have ffmpeg "randomly" (depending on if the server speaks
TLSv1.3) fail with mbedTLS 3.6.0.
More information about the ffmpeg-devel
mailing list