1. 23 Jan, 2014 1 commit
  2. 27 Sep, 2013 1 commit
  3. 26 Sep, 2013 2 commits
    • Martin Storsjö's avatar
      tls: Add support for listen mode · 705b748e
      Martin Storsjö authored
      Also add options for specifying a certificate and key, which can
      be used both when operating as client and as server.
      
      Partially based on a patch by Peter Ross.
      Signed-off-by: 's avatarMartin Storsjö <martin@martin.st>
      705b748e
    • Martin Storsjö's avatar
      tls: Add options for verifying the peer certificate · 8b09d917
      Martin Storsjö authored
      A file containing the trusted CA certificates needs to be
      supplied via the ca_file AVOption, unless the TLS library
      has got a system default file/database set up.
      
      This doesn't check the hostname of the peer certificate with
      openssl, which requires a non-trivial piece of code for
      manually matching the desired hostname to the string provided
      by the certificate, not provided as a library function.
      
      That is, with openssl, this only validates that the received
      certificate is signed with the right CA, but not that it is
      the actual server we think we're talking to.
      
      Verification is still disabled by default since we can't count
      on a proper CA database existing at all times.
      Signed-off-by: 's avatarMartin Storsjö <martin@martin.st>
      8b09d917
  4. 22 Sep, 2013 1 commit
  5. 30 Aug, 2013 1 commit
  6. 27 Feb, 2013 1 commit
    • Martin Storsjö's avatar
      lavf: Handle the environment variable no_proxy more properly · de9cd1b1
      Martin Storsjö authored
      The handling of the environment variable no_proxy, present since
      one of the initial commits (de6d9b64), is inconsistent with
      how many other applications and libraries interpret this
      variable. Its bare presence does not indicate that the use of
      proxies should be skipped, but it is some sort of pattern for
      hosts that does not need using a proxy (e.g. for a local network).
      
      As investigated by Rudolf Polzer, different libraries handle this
      in different ways, some supporting IP address masks, some supporting
      arbitrary globbing using *, some just checking that the pattern matches
      the end of the hostname without regard for whether it actually is
      the right domain or a domain that ends in the same string.
      
      This simple logic should be pretty similar to the logic used by
      lynx and curl.
      Signed-off-by: 's avatarMartin Storsjö <martin@martin.st>
      de9cd1b1
  7. 27 Jul, 2012 1 commit
  8. 22 Jul, 2012 4 commits
  9. 05 Jan, 2012 1 commit
  10. 28 Nov, 2011 1 commit
  11. 18 Nov, 2011 1 commit
  12. 17 Nov, 2011 1 commit
    • Martin Storsjö's avatar
      tls: Use TLSv1_client_method for OpenSSL · 92db95e9
      Martin Storsjö authored
      TLSv1 is compatible with SSLv3, so this doesn't change much
      in terms of compatibility. By explicitly using TLSv1, OpenSSL
      sends the server name indication (SNI) header, which we
      already set using SSL_set_tlsext_host_name (earlier, this
      didn't have any effect).
      
      SNI allows servers to serve SSL content for different host
      names with separate certificates on one single port (vhosts).
      Signed-off-by: 's avatarMartin Storsjö <martin@martin.st>
      92db95e9
  13. 13 Nov, 2011 3 commits
  14. 10 Nov, 2011 2 commits
  15. 08 Nov, 2011 1 commit
  16. 05 Nov, 2011 1 commit