mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-11-21 10:55:51 +02:00
openssl: Allow newer TLS versions than TLSv1
The use of TLSv1_*_method() disallows newer protocol versions; instead use SSLv23_*_method() and then explicitly disable the deprecated protocol versions which should not be supported. Fixes ticket #5915.
This commit is contained in:
parent
121be31060
commit
e8634fb92e
@ -233,12 +233,17 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
|
||||
if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
|
||||
goto fail;
|
||||
|
||||
p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
|
||||
// We want to support all versions of TLS >= 1.0, but not the deprecated
|
||||
// and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method()
|
||||
// enables support for all versions of SSL and TLS, and we then disable
|
||||
// support for the old protocols immediately after creating the context.
|
||||
p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
|
||||
if (!p->ctx) {
|
||||
av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
|
||||
ret = AVERROR(EIO);
|
||||
goto fail;
|
||||
}
|
||||
SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||
if (c->ca_file) {
|
||||
if (!SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL))
|
||||
av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
|
||||
|
Loading…
Reference in New Issue
Block a user