aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMark Thompson <sw@jkqxz.net>2016-10-30 14:57:30 +0000
committerMark Thompson <sw@jkqxz.net>2016-10-31 19:34:42 +0000
commit218ed7250c103a975e874fb16e8e5941f4cbe223 (patch)
tree8a58e9729c0f7ce3f18ad0ef3f432e3a186c5f91 /libavformat
parentdad7514f9ec8a8c5e44d70fcfbbcedeff16f7e13 (diff)
downloadffmpeg-218ed7250c103a975e874fb16e8e5941f4cbe223.tar.gz
openssl: Allow newer TLS versions than TLSv1
The use of TLSv1_*_method() disallows newer protocol versions; instead use SSLv23_*_method() and then explicitly disable the deprecated protocol versions which should not be supported.
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/tls_openssl.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index aab885c8d3..0abccf00a9 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -221,12 +221,17 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
goto fail;
- p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
+ // We want to support all versions of TLS >= 1.0, but not the deprecated
+ // and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method()
+ // enables support for all versions of SSL and TLS, and we then disable
+ // support for the old protocols immediately after creating the context.
+ p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
if (!p->ctx) {
av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
ret = AVERROR(EIO);
goto fail;
}
+ SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
if (c->ca_file)
SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL);
if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {