lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0

As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075Signed-off-by: Anton Khirnov <anton@khirnov.net>

lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075Signed-off-by: Anton Khirnov <anton@khirnov.net>
c28e5b59 · sfan5 · Anton Khirnov · ab8f7030 · c28e5b59
Commit c28e5b59 authored May 17, 2024 by sfan5 Committed by Anton Khirnov Jun 18, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

tls_mbedtls.c libavformat/tls_mbedtls.c +8 -0

No files found.
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
        goto fail;
    }

+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+    // mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+    if (!shr->verify) {
+        av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
+        mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
+    }
+#endif
+
    // not VERIFY_REQUIRED because we manually check after handshake
    mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
                              shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);