avformat/tls_openssl: load default verify locations

When no explicit CAs file is set, load the default locations, else there is no way for verification to succeed. This matches the behavior of other TLS backends.
author: Marvin Scholz <epirat07@gmail.com> 2025-07-08 20:05:47 +0200
committer: Marvin Scholz <epirat07@gmail.com> 2025-07-22 02:43:54 +0200
commit: 080dc4cf5479d000b8ac66bbb93e72c70ec4dda8 (patch)
tree: 409e2f3e0c09c3a119703ceb830fdacda95c8cd0 /libavformat/tls_openssl.c
parent: f4befeb7674978738ce3c7256545dfa49f3e40d7 (diff)
download: ffmpeg-080dc4cf5479d000b8ac66bbb93e72c70ec4dda8.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 49f26860b1..0a7998210f 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -740,6 +740,12 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
     if (c->ca_file) {
         if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
             av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", openssl_get_error(p));
+    } else {
+        if (!SSL_CTX_set_default_verify_paths(p->ctx)) {
+            // Only log the failure but do not error out, as this is not fatal
+            av_log(h, AV_LOG_WARNING, "Failure setting default verify locations: %s\n",
+                openssl_get_error(p));
+        }
     }
 
     if (c->cert_file) {
author	Marvin Scholz <epirat07@gmail.com>	2025-07-08 20:05:47 +0200
committer	Marvin Scholz <epirat07@gmail.com>	2025-07-22 02:43:54 +0200
commit	080dc4cf5479d000b8ac66bbb93e72c70ec4dda8 (patch)
tree	409e2f3e0c09c3a119703ceb830fdacda95c8cd0 /libavformat/tls_openssl.c
parent	f4befeb7674978738ce3c7256545dfa49f3e40d7 (diff)
download	ffmpeg-080dc4cf5479d000b8ac66bbb93e72c70ec4dda8.tar.gz