lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version

Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression. ref: c28e5b597ecc34188427347ad8d773bf9a0176cd Signed-off-by: sfan5 <sfan5@live.de> Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: sfan5 <sfan5@live.de> 2024-09-04 17:56:05 +0200
committer: Anton Khirnov <anton@khirnov.net> 2024-09-15 13:50:18 +0200
commit: e66f977494a2ff780f4d44d767e8e6cd74cdf14f (patch)
tree: 2e1eb119fa263bc145fb5744e64d771626990f68
parent: 5c66a3ab51807b0f471822ae261dd6b09030a439 (diff)
download: ffmpeg-e66f977494a2ff780f4d44d767e8e6cd74cdf14f.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 567b95b129..e802c6b872 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -270,8 +270,8 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     }
 
 #ifdef MBEDTLS_SSL_PROTO_TLS1_3
-    // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
-    if (!shr->verify) {
+    // this version does not allow disabling certificate verification with TLSv1.3 (yes, really).
+    if (mbedtls_version_get_number() == 0x03060000 && !shr->verify) {
         av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
         mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
     }
author	sfan5 <sfan5@live.de>	2024-09-04 17:56:05 +0200
committer	Anton Khirnov <anton@khirnov.net>	2024-09-15 13:50:18 +0200
commit	e66f977494a2ff780f4d44d767e8e6cd74cdf14f (patch)
tree	2e1eb119fa263bc145fb5744e64d771626990f68
parent	5c66a3ab51807b0f471822ae261dd6b09030a439 (diff)
download	ffmpeg-e66f977494a2ff780f4d44d767e8e6cd74cdf14f.tar.gz