lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0

As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075 Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: sfan5 <sfan5@live.de> 2024-05-17 10:06:42 +0200
committer: Anton Khirnov <anton@khirnov.net> 2024-06-18 07:23:44 +0200
commit: c28e5b597ecc34188427347ad8d773bf9a0176cd (patch)
tree: 32f30d1d974f9372d3e4db5b86acf51c0daf6be0
parent: ab8f7030bc46e5031d2ba438eddf0739098e3e5d (diff)
download: ffmpeg-c28e5b597ecc34188427347ad8d773bf9a0176cd.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 91e93fb862..567b95b129 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         goto fail;
     }
 
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+    // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+    if (!shr->verify) {
+        av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
+        mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
+    }
+#endif
+
     // not VERIFY_REQUIRED because we manually check after handshake
     mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
                               shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
author	sfan5 <sfan5@live.de>	2024-05-17 10:06:42 +0200
committer	Anton Khirnov <anton@khirnov.net>	2024-06-18 07:23:44 +0200
commit	c28e5b597ecc34188427347ad8d773bf9a0176cd (patch)
tree	32f30d1d974f9372d3e4db5b86acf51c0daf6be0
parent	ab8f7030bc46e5031d2ba438eddf0739098e3e5d (diff)
download	ffmpeg-c28e5b597ecc34188427347ad8d773bf9a0176cd.tar.gz