Commit 218ed725 authored by Mark Thompson's avatar Mark Thompson

openssl: Allow newer TLS versions than TLSv1

The use of TLSv1_*_method() disallows newer protocol versions; instead
use SSLv23_*_method() and then explicitly disable the deprecated
protocol versions which should not be supported.
parent dad7514f
...@@ -221,12 +221,17 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ...@@ -221,12 +221,17 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
goto fail; goto fail;
p->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method()); // We want to support all versions of TLS >= 1.0, but not the deprecated
// and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method()
// enables support for all versions of SSL and TLS, and we then disable
// support for the old protocols immediately after creating the context.
p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
if (!p->ctx) { if (!p->ctx) {
av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL)); av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
ret = AVERROR(EIO); ret = AVERROR(EIO);
goto fail; goto fail;
} }
SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
if (c->ca_file) if (c->ca_file)
SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL); SSL_CTX_load_verify_locations(p->ctx, c->ca_file, NULL);
if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) { if (c->cert_file && !SSL_CTX_use_certificate_chain_file(p->ctx, c->cert_file)) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment