From 080dc4cf5479d000b8ac66bbb93e72c70ec4dda8 Mon Sep 17 00:00:00 2001
From: Marvin Scholz <epirat07@gmail.com>
Date: Tue, 8 Jul 2025 20:05:47 +0200
Subject: [PATCH] avformat/tls_openssl: load default verify locations

When no explicit CAs file is set, load the default locations,
else there is no way for verification to succeed.

This matches the behavior of other TLS backends.
---
 libavformat/tls_openssl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 49f26860b1..0a7998210f 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -740,6 +740,12 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
     if (c->ca_file) {
         if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
             av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", openssl_get_error(p));
+    } else {
+        if (!SSL_CTX_set_default_verify_paths(p->ctx)) {
+            // Only log the failure but do not error out, as this is not fatal
+            av_log(h, AV_LOG_WARNING, "Failure setting default verify locations: %s\n",
+                openssl_get_error(p));
+        }
     }
 
     if (c->cert_file) {