diff options
| author | Marvin Scholz <epirat07@gmail.com> | 2025-06-25 21:55:41 +0200 |
|---|---|---|
| committer | Marvin Scholz <epirat07@gmail.com> | 2025-07-07 01:52:47 +0200 |
| commit | 019ca5f01370942ca638f76c16cb4e35b37c7e80 (patch) | |
| tree | f773703e743454a23e5261367ae96568ec0ecec4 | |
| parent | fb38d8759b00cd597a678e91518499a05acf6901 (diff) | |
| download | ffmpeg-019ca5f01370942ca638f76c16cb4e35b37c7e80.tar.gz | |
avformat/tls_openssl: use SSL_CTX_set_min_proto_version
Using SSL_CTX_set_options to disallow specific versions is
discouraged by the documentation, which recommends to use
SSL_CTX_set_min_proto_version instead.
| -rw-r--r-- | libavformat/tls_openssl.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 3724de7283..a0fa3285d5 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -899,7 +899,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + if (!SSL_CTX_set_min_proto_version(p->ctx, TLS1_VERSION)) { + av_log(h, AV_LOG_ERROR, "Failed to set minimum TLS version to TLSv1\n"); + ret = AVERROR_EXTERNAL; + goto fail; + } ret = openssl_init_ca_key_cert(h); if (ret < 0) goto fail; // Note, this doesn't check that the peer certificate actually matches |