diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-09-27 09:22:42 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-09-27 09:33:28 +0200 |
| commit | e6e71fd7b563329aba1d72c1238b824295ab20c1 (patch) | |
| tree | 9141774ad81be809f1329efd8c897590515c287d /doc/protocols.texi | |
| parent | f31011e9abfb2ae75bb32bc44e2c34194c8dc40a (diff) | |
| parent | 8b09d917e7dc7d7f2ace31419f802d4ff518236c (diff) | |
| download | ffmpeg-e6e71fd7b563329aba1d72c1238b824295ab20c1.tar.gz | |
Merge commit '8b09d917e7dc7d7f2ace31419f802d4ff518236c'
* commit '8b09d917e7dc7d7f2ace31419f802d4ff518236c':
tls: Add options for verifying the peer certificate
Conflicts:
doc/protocols.texi
libavformat/tls.c
libavformat/version.h
See: b2460858f64b2070d84dd861d4bbd16acfb9b0e9
See: 973a758f52a4e5fe63bd88806a4b2db034a032de
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'doc/protocols.texi')
| -rw-r--r-- | doc/protocols.texi | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/doc/protocols.texi b/doc/protocols.texi index d2bdf23bab..e53d6a47a5 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -853,30 +853,45 @@ ffplay tcp://@var{hostname}:@var{port} @section tls -Transport Layer Security/Secure Sockets Layer +Transport Layer Security (TLS) / Secure Sockets Layer (SSL) The required syntax for a TLS/SSL url is: @example tls://@var{hostname}:@var{port}[?@var{options}] @end example +The following parameters can be set via command line options +(or in code via @code{AVOption}s): + @table @option +@item ca_file, cafile=@var{filename} +A file containing certificate authority (CA) root certificates to treat +as trusted. If the linked TLS library contains a default this might not +need to be specified for verification to work, but not all libraries and +setups have defaults built in. +The file must be in OpenSSL PEM format. + +@item tls_verify=@var{1|0} +If enabled, try to verify the peer that we are communicating with. +Note, if using OpenSSL, this currently only makes sure that the +peer certificate is signed by one of the root certificates in the CA +database, but it does not validate that the certificate actually +matches the host name we are trying to connect to. (With GnuTLS, +the host name is validated as well.) + +This is disabled by default since it requires a CA database to be +provided by the caller in many cases. + @item listen Act as a server, listening for an incoming connection. -@item cafile=@var{filename} -Certificate authority file. The file must be in OpenSSL PEM format. - @item cert=@var{filename} Certificate file. The file must be in OpenSSL PEM format. @item key=@var{filename} Private key file. -@item verify=@var{0|1} -Verify the peer's certificate. - @end table Example command lines: |