[FFmpeg-devel] [PATCH 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0
Anton Khirnov
anton at khirnov.net
Tue Jun 18 08:24:34 EEST 2024
Quoting sfan5 (2024-06-11 18:17:00)
> Am 11.06.24 um 17:02 schrieb Anton Khirnov:
> > Quoting Sfan5 (2024-05-17 10:34:50)
> >> As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate
> >> verification
> >> is now mandatory. Our default configuration does not do verification, so
> >> downgrade to 1.2 in these situations to avoid breaking it.
> >>
> >> ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
> >> Signed-off-by: sfan5 <sfan5 at live.de>
> >> ---
> > Would it not be simpler to simply set authmode to
> > MBEDTLS_SSL_VERIFY_OPTIONAL unconditionally, then just disregard the
> > verification result?
> >
> That's the thing and it's exactly as stupid as it sounds: When using
> TLSv1.3 it will ignore the MBEDTLS_SSL_VERIFY mode entirely.
>
> If the verification doesn't pass the handshake fails and you don't get
> an usable connection. I'm hoping the mbedTLS devs realize at some point
> how nonviable this is and fix it but as of right now this is the only
> way to not have ffmpeg "randomly" (depending on if the server speaks
> TLSv1.3) fail with mbedTLS 3.6.0.
uh...that sure is...special
Patch pushed then.
--
Anton Khirnov
More information about the ffmpeg-devel
mailing list