lavf/tls_mbedtls: fix handling of certification validation failures

We manually check the verification status after the handshake has completed using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED mbedtls_ssl_handshake() already returns an error, so this code is never reached. Fix that by using VERIFY_OPTIONAL, which performs the verification but does not abort the handshake. Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: sfan5 <sfan5@live.de> 2024-05-13 20:27:17 +0200
committer: Anton Khirnov <anton@khirnov.net> 2024-06-11 16:58:22 +0200
commit: 1b1e9cadc5c4a4ea3a11d30f17ac7ac9f4018d8f (patch)
tree: d6b276f2c6aeade72cfa2cae5095235ea50cc56a
parent: 827578ca761e326fa4df7b6ed0b87421b5775fbd (diff)
download: ffmpeg-1b1e9cadc5c4a4ea3a11d30f17ac7ac9f4018d8f.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index ba94ab3a70..f65f2f4020 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,8 +269,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         goto fail;
     }
 
+    // not VERIFY_REQUIRED because we manually check after handshake
     mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
-                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
+                              shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
     mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
     mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL);
author	sfan5 <sfan5@live.de>	2024-05-13 20:27:17 +0200
committer	Anton Khirnov <anton@khirnov.net>	2024-06-11 16:58:22 +0200
commit	1b1e9cadc5c4a4ea3a11d30f17ac7ac9f4018d8f (patch)
tree	d6b276f2c6aeade72cfa2cae5095235ea50cc56a
parent	827578ca761e326fa4df7b6ed0b87421b5775fbd (diff)
download	ffmpeg-1b1e9cadc5c4a4ea3a11d30f17ac7ac9f4018d8f.tar.gz